23542300x800000000000000054389Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:22.980{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8ABD23BC4B52945010206C720C7210,SHA256=CD0995EC138757922D5FA800C5239EA7E04A11B31A83803180937622512489CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074737Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.964{2F630BB9-CFF6-611B-5A0D-00000000F001}54085936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074736Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.827{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-CFF6-611B-5A0D-00000000F001}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074735Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.827{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074734Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.827{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074733Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.827{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074732Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.827{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074731Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.827{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-CFF6-611B-5A0D-00000000F001}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074730Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.827{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-CFF6-611B-5A0D-00000000F001}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074729Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.827{2F630BB9-CFF6-611B-5A0D-00000000F001}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000074728Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.296{2F630BB9-CFF6-611B-590D-00000000F001}80367112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000074727Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.165{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20E57AB0CCAE958FF018CBE2F60E5E3,SHA256=B73D4733B2C81BCAA009EC2A24C49DFD38614C7D9D2999DDFF9660AA44A09E19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054388Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:22.324{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054387Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:22.324{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054386Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:22.324{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054385Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:22.324{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054384Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:22.324{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054383Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:22.324{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054382Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:22.324{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074726Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.143{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-CFF6-611B-590D-00000000F001}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074725Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.143{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074724Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.143{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074723Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.143{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074722Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.143{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074721Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.143{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-CFF6-611B-590D-00000000F001}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074720Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.143{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-CFF6-611B-590D-00000000F001}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074719Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:22.144{2F630BB9-CFF6-611B-590D-00000000F001}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054391Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:23.996{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A315B938BF9CF28A5958C5609CE5179,SHA256=923BFB6FB013832A952227E85DCD09A79DD9FBD5455AF9EDA12EC8E97010F22E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074739Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:21.307{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56338-false10.0.1.12-8000- 23542300x800000000000000074738Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:23.179{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E995DE5AFF142AB69144A8AC2178438D,SHA256=2061FABE505CD364C446E3244A9E3B8994008C608A1DAFBC5AA8973D6851D8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054390Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:21.563{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000074740Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:24.241{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69FFD232F43D8CC2548EE61A438BF65,SHA256=9671E59BAB34578D737C40D1D19E270933E1CEE175289C6C66322D00AE63A940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054392Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:25.011{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD02CA63582FAD2A6239B3C7A59FC2A,SHA256=112D6A70040B9A50FCDEB8EED989ED2B6C535FE976D1F9234840052F6AE64093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074749Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.261{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4B76FF422127E8F7FC8B85C68C9FAF,SHA256=5E608E92FC15FB2D78F0DEAF7004158F3F0A2EEF558E663B3E0C1D288B68EFB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074748Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.208{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-CFF9-611B-5B0D-00000000F001}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074747Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.208{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074746Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.208{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074745Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.208{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074744Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.208{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074743Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.208{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-CFF9-611B-5B0D-00000000F001}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074742Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.208{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-CFF9-611B-5B0D-00000000F001}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074741Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:25.209{2F630BB9-CFF9-611B-5B0D-00000000F001}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054393Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:26.027{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E2215F84E933E798B07ED4A7EEDA05,SHA256=E95C311BD32E4EBD044B8EA23ADEB99295E0E9DB30C646CE1CCD3E4BD73FD254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074752Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:26.276{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA13A0D285DE559910B2D26048D7A250,SHA256=2BB922F3B1474F2B6EFEF3FFFD076AE05DB66B1B6C6D8DA40A80A00E9A3BC2F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074751Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:23.869{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56339-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000074750Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:23.869{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56339-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000074753Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:27.291{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DF42C14C15925E922CE95849010BA4,SHA256=38BACA0F83FCA097973989C42498B5A204E2E65AAF521493B587CCD9FD0515C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054401Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.605{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054400Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.605{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054399Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.605{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054398Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.589{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054397Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.589{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054396Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.589{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054395Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.589{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000054394Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.042{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339176AC4AD358A56E27187415A35566,SHA256=9AB1417E220F23064FA20C04C121F36E65CAFA7BB01EA1A82B7038B54649391C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074754Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:28.305{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBBD84CDD7102A3977337E1B97EBF46,SHA256=9014C41979BBC656208B77DB11CB3EAD54A8225ED48F929F3762AFA8C21F98D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054402Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:28.058{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239294F51E04AEC87AB6FC45E024675E,SHA256=9190D040E185FF28E87319CADCF0105AF62FCDC0C84DE500E825B56DE210A47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074755Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:29.354{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7076F57EEED4C77F5897C8036A76724,SHA256=9D7C77DE1E7FF0F76045DDDD6AED4D924E22730E863290925FCB3930ADEC8EBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054404Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:27.563{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054403Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:29.074{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4884BDDC26CB9C8A997B348FEEB240C1,SHA256=CFB169AD2DB91A737FA08E0EE65889398F30881CDF5FC3276F29C8E4966A7E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054405Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:30.089{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6D06D075986E023FBA6302A34A3578,SHA256=04C53D79D2C215945998DC7FC742C2B2414196A48296146873BCF787C1ECB447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074757Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:30.372{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE09D5B3CD8DC98022EF2D503818377,SHA256=E3E4020D9CCE0BC2242DD7FB7CECFD81803B5230433E87E8FB662DF0DF8B420B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074756Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:27.181{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56340-false10.0.1.12-8000- 23542300x800000000000000074758Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:31.403{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7DEAF83784E845B370D99CDF90F7FF,SHA256=9963977F1A982B7320BF45B6F0222DDEC778E87BB3C709EBEA01B08827652AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054406Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:31.105{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDAFA90B131D6F011E61BEB3F1C0F6E,SHA256=989D10BB3D21A6E149BABD29E3E2EB32469C23270D95B8FEEF06335E644A187E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074759Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:32.433{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A273B0145132E9B87E2075E9694E84,SHA256=C7ECD09D12A67938A0B8DC14325BA86ED824817D6058A3E745F854F854A33A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054407Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:32.121{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68422E2D9D34DC29D80EF91B51D391A5,SHA256=AA7C2E30EEC25E364333BF106E7C20896FC3A24231F3E567236D0E1FE63C2799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074760Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:33.433{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4048FF3FC32CAFE1D168CEE3005823,SHA256=CCEAAD40FD8AC7C155D2D0A6F5FDF7FC2EB019EE6D5B96626BAF2CEDF8450B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054408Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:33.136{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABDDBD002E12684001B944C4C051A30,SHA256=1E65558C3D7B57BD768E4DF71BE7CF15467228C89B0A171BBDA46B2E1FE9A999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074761Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:34.450{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6110800DBD0E21092E17CE5163AA9F2,SHA256=EA7C1D77B780691EA287F75D49AC95CF34537C3923AA384569ED13002F014D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054409Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:34.139{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163885E8E890634D3C087FD83ACC5AA3,SHA256=953864192BF350D236E5C5FDC91293933E79F83E954049F209E7208147B2B64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074763Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:35.468{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB29CE0E8880C7955D4C0439EC617CA,SHA256=F2DCF3633A428BCD68255E192E6C29DB6DAE49E01A7B092D173865F9BD79976C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054428Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.936{8A88D375-91C9-611B-FE00-00000000F101}35565880C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000054427Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.936{8A88D375-91C9-611B-FE00-00000000F101}35565880C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 354300x800000000000000054426Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:33.566{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000054425Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.764{8A88D375-91C9-611B-FE00-00000000F101}35565880C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000054424Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.764{8A88D375-90A2-611B-1600-00000000F101}12121364C:\Windows\system32\svchost.exe{8A88D375-D003-611B-660B-00000000F101}5448C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054423Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.764{8A88D375-90A2-611B-1600-00000000F101}12121260C:\Windows\system32\svchost.exe{8A88D375-D003-611B-660B-00000000F101}5448C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054422Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.764{8A88D375-91C9-611B-FE00-00000000F101}35565880C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000054421Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.733{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054420Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.733{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054419Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.733{8A88D375-91C9-611B-FE00-00000000F101}35565652C:\Windows\Explorer.EXE{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054418Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.733{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-D003-611B-660B-00000000F101}5448C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054417Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.733{8A88D375-91C7-611B-ED00-00000000F101}38162676C:\Windows\system32\csrss.exe{8A88D375-D003-611B-660B-00000000F101}5448C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054416Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.717{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054415Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.717{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054414Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.717{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054413Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.717{8A88D375-91C9-611B-FE00-00000000F101}35565032C:\Windows\Explorer.EXE{8A88D375-C82A-611B-680A-00000000F101}5436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054412Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.717{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D003-611B-660B-00000000F101}5448C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054411Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.717{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-D003-611B-660B-00000000F101}5448C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000054410Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:35.155{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F645DA32BB9012020F93D3F9DA3CF422,SHA256=BE2D19305D20CC9D97FC933DEDD45599EBFCEF87B5DB60FC859128E42060D975,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074762Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:32.245{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56341-false10.0.1.12-8000- 23542300x800000000000000074764Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:36.498{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618E4FBFA12EEBFC0BA4A20C3AF4506A,SHA256=5C9F53901D8A1C7AD7F42DEEDBD7213CE244A3DCD35D3004A494119095DA7978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054429Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:36.170{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E653D2EA70865328CF594BAE1D26844,SHA256=607C00677FFDD597AA743F6ABB9A00E841CD79060D2DF5371F9CF8CF060C1861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074766Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:37.512{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5A9FE81E700909E284D84534E8E7C8,SHA256=4489A27CDE85436740CD1642CB2BF0323D8D7BAE947A856E832DA25174C9EEDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054446Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.186{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C8FCF544A5A3334152E0E7881AE680,SHA256=6AFE93B9E8B0F4E92D3E324964384C93271B7E0E58FE7A694E19CAA5CAF26ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074765Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:37.250{2F630BB9-8EAF-611B-0100-00000000F001}4NT AUTHORITY\SYSTEMSystemC:\Temp\topsecret.7zMD5=76CDB2BAD9582D23C1F6F4D868218D6C,SHA256=8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054445Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.139{8A88D375-C82A-611B-680A-00000000F101}54365636C:\Windows\system32\conhost.exe{8A88D375-D005-611B-680B-00000000F101}5296c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054444Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.139{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054443Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.139{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054442Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.139{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054441Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.139{8A88D375-91C7-611B-ED00-00000000F101}38163628C:\Windows\system32\csrss.exe{8A88D375-D005-611B-680B-00000000F101}5296c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054440Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.139{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054439Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.139{8A88D375-D005-611B-670B-00000000F101}20245836C:\ProgramData\chocolatey\bin\7z.exe{8A88D375-D005-611B-680B-00000000F101}5296c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|UNKNOWN(00007FFD220A1F3C) 154100x800000000000000054438Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.144{8A88D375-D005-611B-680B-00000000F101}5296C:\Program Files\7-Zip\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exe"c:\program files\7-zip\7z.exe" a -tzip -mx5 \\10.0.1.14\c$\temp\topsecret.7z C:\Temp\terraform_1416226694.cmd -ptopsecretC:\Users\Administrator\WIN-HOST-316\Administrator{8A88D375-91C8-611B-A770-0A0000000000}0xa70a72HighMD5=619F7135621B50FD1900FF24AADE1524,SHA256=344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2,IMPHASH=41C55772E303B8488EA464A0538E35D5{8A88D375-D005-611B-670B-00000000F101}2024C:\ProgramData\chocolatey\bin\7z.exe7z a -tzip -mx5 \\10.0.1.14\c$\temp\topsecret.7z C:\Temp\terraform_1416226694.cmd -ptopsecret 10341000x800000000000000054437Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.108{8A88D375-C82A-611B-680A-00000000F101}54365636C:\Windows\system32\conhost.exe{8A88D375-D005-611B-670B-00000000F101}2024C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054436Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.108{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054435Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.108{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054434Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.108{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054433Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.108{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054432Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.108{8A88D375-91C7-611B-ED00-00000000F101}38162676C:\Windows\system32\csrss.exe{8A88D375-D005-611B-670B-00000000F101}2024C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054431Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.108{8A88D375-C82A-611B-670A-00000000F101}23801028C:\Windows\system32\cmd.exe{8A88D375-D005-611B-670B-00000000F101}2024C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054430Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:37.109{8A88D375-D005-611B-670B-00000000F101}2024C:\ProgramData\chocolatey\bin\7z.exe19.0.0.07-Zip Console - shim7-ZipIgor Pavlov7z.exe7z a -tzip -mx5 \\10.0.1.14\c$\temp\topsecret.7z C:\Temp\terraform_1416226694.cmd -ptopsecretC:\Users\Administrator\WIN-HOST-316\Administrator{8A88D375-91C8-611B-A770-0A0000000000}0xa70a72HighMD5=7343B73A4A0CCBE898F470A6B02C6A83,SHA256=7BE9FEC1D1DA3E8A10B41D10BDEA83FB3D2B300B101AD9DA855EE479EA13E24B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{8A88D375-C82A-611B-670A-00000000F101}2380C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000074769Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:38.527{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615CC70ECCAE4CE54A77E8DE1A860786,SHA256=1089CB5446010DAD7835B3EFBD327A1B473BEFEE76CE396D4E28955CBD21A97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054447Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:38.202{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B80EC4A9EA7843E82D31A83F469502,SHA256=E6DDE4DBE0702D5F5DC7E05B3829FD281322094403F75A4D75F1B358B8AF1D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074768Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:38.196{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC79D3B5011484097D14DF966B2548DF,SHA256=F4B109879D9DF4487668DB03C0E2822217E9D0311A35202E46C65D8455450F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074767Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:38.196{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACD30FD269AEBBC91FD9A00F58A7A77F,SHA256=C9F4772AF8EDA8AD1419F33AF90B8CC061535DF60B089DBE0768608F6205BC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074770Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:39.544{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A8A061BEA8DD3223A9D59FD5CABC70,SHA256=06A558C0ABBDEA6488B4D6FB6324692871D7710B323750CF9137F37BB04B51BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054448Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:39.217{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1673AA346BDEC5DC0A9A97382E3261,SHA256=227A8F99E432B44A3B8BD7061FCFCF48A3D854717177D905224ABD66062A2659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074772Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:40.563{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364C8786D702B4EA7752385C7FC71889,SHA256=DA05A2B87B989526F5DA28ED789348CAE1690CD1AED0D4CE96012DEF923EB493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054449Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:40.233{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40046EC7CF759CB3E2E67FAF55472B4D,SHA256=053E12AD30768A29B76F557A72322E4230BD95D40E1CFC4D0C109F333DEC01AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074771Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:38.223{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56342-false10.0.1.12-8000- 23542300x800000000000000074773Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:41.577{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7D38FEA8C24CCAA06FD2B0653F375D,SHA256=3F3B6F28AD540E55B88C59F0A78E47F5CDA6C9267540DF6073B5B818C4E9B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054450Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:41.249{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303A3AB52C7AA83A54B764B2A01389F1,SHA256=8C7CF3ADA82614809F4275D94A6675E92E9E97EFB876BE9AA1EEA291920DBE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074774Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:42.592{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259ACE25779BCE0F318DBE6EE1669969,SHA256=9BD79B1952E570159BE0BF1AC5CFA850B00DC75E817ED7315D7DB0D595F37028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054452Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:42.249{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF9AB3FDCC949BD798DA9F8BE0FDCFA,SHA256=B81E7A4E13F609559FDC5E42C7BF30A77F9C67DEE809DD3C27313CF35E9444FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054451Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:38.660{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000074781Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:43.707{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=67763927F4890A21978B61BAC9CA213D,SHA256=0CC0BDA31CC71259B783BA3590C48B568195F4BA728B7736F37726634B14EB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074780Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:43.707{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=C942269C47C60EAF79C6D787229F8D48,SHA256=79B325AFBBECFF808B6F0F1637EBF5BC64C13DE6DC6497B745007609CC71AF42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074779Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:43.707{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=A7F76099EEBD48E8ABE11ED845297F0D,SHA256=55824550290BEA18A0BC93E5B994FED3CF8E58D54EEA99E3A98340D484B14196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074778Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:43.707{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=526087A39082B8CF151D21AD10451ACB,SHA256=EDFAA82A7F840E3B2036348A10EF13ECCD083D9251255A62046473F99E6CA486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074777Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:43.707{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=7E57FF518C7FBDC770226F8F8AFAC646,SHA256=769C46A0B7429422258884006CEFEAF5A566B1576E173EBB781589E0E9937FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074776Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:43.707{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=1962E0408494EE1D0FC30F5B970FA109,SHA256=9E0005FD6876C4110577237F79562F7717FB3541C6375C6A693E724357AAED31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074775Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:43.623{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E062AAAE8225200C761A4A128ECBF9,SHA256=947D282C7A81F2F2A66EE5F065A13F4B583D0B207113A47F4372FFA578AC3D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054453Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:43.264{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99858CC6428A23F72A17C3A6EC046F54,SHA256=63F5BEA8B1013AEAA40339DE70AAF6DD19DA7B9A531DA1B918FFCA1E54D997FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074782Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:44.644{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56357C845242001C359ECCFB3A86DAE5,SHA256=DBB23AE30AAD784C92A7D7E29763E487AB41707750B8E9A32838071D56B9E520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054454Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:44.280{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76ADAB984A1E089789A4620C23CDF76,SHA256=0494F3F2231B74B4B17AEA19255BFB9CD771E28CF50FF1D3C8E3E7BD29AAD736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074783Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:45.661{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2081AA52262DDCD0FFD38580400FE2E,SHA256=74D97E36FA8BFD216E67152CE4AE9943CEDB3F6FAE2E4703F9AF4D6E4E491E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054455Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:45.295{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E0F2EA348CF5DC54C4D8C5307E79E0,SHA256=522B1FBC075068A6DC61702AE9C75CC3A2A8B3AFF5845564CBBA112CD099C266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054456Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:46.311{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B256D803B89AADF9B813AB6D26F71A,SHA256=EF5B05CC8D77DD942C3E854DD37BAAB8DC30D9DD4F788A20BEF8EF602AF4A42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074785Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:46.675{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439C8740E809160C28051FFFC8410960,SHA256=5CE967124822E3BA0621CCC6B1CB31C94CE045A13BBDCDC4E5FCE2723E2AC037,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074784Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:43.320{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56343-false10.0.1.12-8000- 23542300x800000000000000074786Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:47.690{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B32F1C3930C33BC5BD92BCB9CAB5E9,SHA256=386D80F0B00999232D48ECBF78484F4BB7A4537CE4722645230C4E0F0CE474DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054458Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:47.327{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554538203D5FFAD4BC0A3592366A1E4F,SHA256=373D61262F9095D510854CCAB215573E371319B7B30A52A0743B79E8B57406AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054457Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:44.691{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000074788Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:48.920{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074787Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:48.720{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBDA15279D298EB723C20E52C47BF6E,SHA256=12959D70F93C6FDF09B9D13892E83CFD807CCAE7A14A4FC031DA5644BFCAA636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054459Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:48.342{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5538A2EA2913FC46A8CB3BC50762D5DD,SHA256=28B8CD70D3C64198FCD9B41B8560E4C0EE3C1F1CF87A3584A348C1DF7AF97E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074789Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:49.756{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDCFDEA3115895519904DE080BA0265,SHA256=FF1AF2FCE90A37978E12CA54F75344EEB5C31EF73F2D8A1913417E603679582B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054460Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:49.358{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D058508430FEED6988F4C898B4239B5,SHA256=7CF2B5831D8D0729B2031D11DD39494BBAB19157C79EA7434C848F5B25F4F4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074791Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:50.771{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3218ED22534D3B63CD6E70473FBB7BA9,SHA256=EA0F9D20191CA5419CBD7055B32ED7A5973C73681C2D753E9BCA6CD5DC8A5700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054461Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:50.374{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE814F3408B7F975C7EF96B1548D0859,SHA256=ACC6A2FB726A83AE608A98550396CD78418C1802326F629461B8F9CFB7E62EF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074790Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:48.048{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56344-false10.0.1.12-8089- 23542300x800000000000000074792Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:51.785{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A23B623BF511DB1E84CAC122F26E64,SHA256=B02723365F9968452E07D59DE2251CAF0C2AF571A405BFA27B3C4F418497279B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054462Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:51.389{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74E7BE59368D328825D5CD4D23E0B49,SHA256=D1389A7698CE6D9154C083D80C9282926B894A4611FECCDDE665FEF33EA3E76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074794Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:52.801{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919BB61C7AB022D1D0DEFD03345AF90B,SHA256=2AEB9906EF48D321D5636D1F510BCB73144A2644F5CC8EE4EF87E56736B5D4DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054464Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:52.389{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C58215C6D1DF39C174BD528404CAA,SHA256=948B11D17A194F5E0826F485BBF3D5A7217574774CA4E58AB5948B02A01EE291,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054463Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:50.659{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000074793Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:49.263{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56345-false10.0.1.12-8000- 23542300x800000000000000074801Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:53.837{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8807E46ED9600B95755E7CEAA18ADEF,SHA256=D05B5A2ED40FFA58A47DB4D1B381085E2EFE0D1D4F51C4A46375297AA83663C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054465Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:53.405{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E9E97BC95134183756324FF4157ACB,SHA256=271AA22CB54B7A9FE1B0D3361E886C3FEFFBD0637E935E63BCB9E721B7237A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074800Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:53.737{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=336A5D6D299AB2D527EEB5C871FEC362,SHA256=8D2E8090323947C817056618FD840136D9F7E99E35D4C6A3A68F8EB96B15FA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074799Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:53.737{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=97741B65890F0235EEE1C688941EEE6B,SHA256=9B3C9559A64CAF0188A6B4164790B160D8D3B17A5236061840C382063C346C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074798Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:53.736{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=C91E9C3B3A85113C76F5B96BD8CDA748,SHA256=2AB6ECAEAD42FDAF87F768CF71D51DB71C77060144C18980D20F0EF38F2E6818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074797Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:53.735{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=A1C35F1F46FA054CD8085DC6E9BF7731,SHA256=4828F42F20D6F9D2EB24D25FA41A059675B725631A6E09D807DDCD740D264963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074796Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:53.734{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=F26FBC81283697EC9B6877521D4B9A37,SHA256=162C38571757048F556950FB8D5F4F63198BDAD66F2FC863FD056161B6080EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074795Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:53.732{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=DDD2DE6373FB5B5DBB75548C7A3F9AC5,SHA256=2D99AF6D415FC4B8241207280B8E3C15C9C64142C85876CDE7F7F6AFC214E43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074802Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:54.852{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1278A14ECD9201DD93FB87B4E586C9,SHA256=45104B93F18A14BD424A9944ABDB2DD4E7416525F99444F770EC59D06A190B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054466Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:54.407{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FE879A497A31013F1D87BA8C1F03E3,SHA256=55F1727E19C2F49230568C032E4651C8250D6C651F89240DD2A481E9D3449BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074805Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:55.866{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB9D90109809198D7AF79596AE3DF1E,SHA256=D2F2005126719ECD25684B14320B5784EE537FEB557398CCEE8D07BD6E8BBEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054467Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:55.422{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C7F1E99F249C56EC8663BB913931E3,SHA256=80AE690627DC9ED292BF86E1A0181F2EBDA2E53C4917411CC3271822BF0C6F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074804Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:55.750{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1182936DAC3C905632D409545A6CE5AF,SHA256=B10E4A104824FC69A4EA61D2027809D6AF65731D32E2733470718A823329C1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074803Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:55.750{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4ABAA3306D4472EF769A126A2A8A97B6,SHA256=3A16BC7B0EC9B9AF12BC54C1AAF6C5C4436E797F437BD50ECF9264B0F1233FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074807Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:56.880{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFF8DF513C32CD7F20D4984B7A81079,SHA256=50E82F31862720F703664DFAB8CA3A22A02D58C5D5B3E4DF0D4F33DE845329AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054469Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:56.754{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-263MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054468Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:56.438{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D5CCEC59DD76B2E823A463B939AA8D,SHA256=78DBDB1932D0D932D147375A2B71655B760174AFB796D2EF6C0CB2B0A08C4763,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074806Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:54.274{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56346-false10.0.1.12-8000- 23542300x800000000000000074808Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:57.895{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D6089517193A26B116E26CB60AC051,SHA256=7C57CBE244C7BA479CFEF1596B92338B8377984795274BE1195D8E9A22132D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054472Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:57.752{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-264MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054471Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:55.677{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054470Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:57.438{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3677BDE8FC355612D09EE36CE14222FD,SHA256=861DF00D64E16A03CCD75F1FC54598840910FBEA56460956405DFA33E3B1C5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074810Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:58.899{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E95617367B12B7FE9498AAE2083E058,SHA256=7C8332C918314F7CB2A6BFB0B616ED3E175C1E1A56ABEF285D595BE480DD0FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054473Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:58.444{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31F4C116496F24C15BAFEE1D3EA4F9D,SHA256=D1AFA957B896BAD1F650E0FD42E95387714C68BECB0AE508CD7BE05FF9CAFB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074809Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:58.599{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3F29D9E879F90B9130067D188E17C28A,SHA256=821763C6DD79979B437A9F5C443A62E46EABEF8E5AE193E9EDD59C6C45600E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074811Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:59.913{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8006D0D8700DB197A732F54815B858,SHA256=EE4472FB488830287CDEC5D9F469ADD41FFF7CEDBDF17C485D9D44A83C3EE0AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054474Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:04:59.459{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC0BDC84DF4B241F641D4B0218E8AD8,SHA256=B21F4B3329809EB8F6C4BC34669A1BB78D964669DB3114B88EAE050BE2358472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074812Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:00.931{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1142EED301249BC801A7FF38831594,SHA256=07EDDCEAFD1B787412C25F491E6ED9FA324F017E697A8A327B5F30FC205A00A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054475Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:00.475{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A2D457D2B3A523A5579453892D1351,SHA256=F604B2FC2658AFC066ADB7CE9397304824555B511815ADE75D232CDF9CB74A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074814Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:01.949{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203C019FAAEB414999D79270170BC1CE,SHA256=33036B526E786B5EC0D71FA929F639B496EA34362DAE13A4D1084132D999689D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074813Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:04:59.295{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56347-false10.0.1.12-8000- 23542300x800000000000000054476Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:01.475{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD21BAAD575A989D76E0BC0DA162A792,SHA256=CEFE8CB96E80165E3D59FF37CEA5AAFB104491F6429F026AA3E56BA18748FD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074815Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:02.964{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5C38E2205CC78F994FBD0B252F8635,SHA256=3A7A8396683C0756FBC61FCD93A94F46F826E63FA9AC881905E8BE8C4D7BC909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054517Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054516Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054515Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054514Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054513Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054512Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054511Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054510Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054509Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054508Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054507Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054506Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054505Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054504Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054503Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054502Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054501Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054500Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054499Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054498Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054497Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054496Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054495Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054494Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054493Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054492Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054491Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054490Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054489Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054488Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054487Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054486Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054485Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054484Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054483Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054482Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054481Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054480Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054479Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.912{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000054478Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:00.729{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054477Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:02.490{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF706242A0D2BE7D32B33E5AA993E65,SHA256=5CB9D28201F428EDA095DB4BAFA3C80D6F47632169F8B742F3D9EFB106F246E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074816Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:03.978{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4A836B962E835658382EFBE6C606AA,SHA256=61158015E691A63D99AA682D03E4F3A1D18202370D3227CAF505BBA0E5BEFF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054518Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:03.912{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AFFAE5241321EFC112B1E19428878A,SHA256=ACC536AA47D5F26C3D9F3A52F4F425B43E52CC9027C1FD85E568F8F8B38EBD5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074817Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:04.993{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229E7BE9057E87A3F1FAFBC728DBA4CC,SHA256=6D7128E4857B74CE740D12F2030C8697A07758AD43EEACBA37915430A15B8D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054519Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:04.928{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FA219765A70860EBF6CC56ED7CBAB7,SHA256=6D8E625655D2D3B574784F5CC1996A5AAD1BE6227F08B479FDF7BF0145DF0CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054520Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:05.928{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB81A78775999AAC1224784E36261313,SHA256=6C67841FC2F76365BE4FFE7EE6CE9D4DA6C7A2B0715A0383E5A360776E99EB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054521Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:06.944{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6507E4E207AA39D1B99CFFC16CB588EF,SHA256=10933A9D937955ED5393E1C7873F7CCA5F94DD5E0B7F16FDF99ABFE4F793B0BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074819Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:04.321{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56348-false10.0.1.12-8000- 23542300x800000000000000074818Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:06.007{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909AE95B5866C39C9F4E9269A5D194FD,SHA256=5AFDED11BA4211AF150EFE4D13F704BF4C6EF16BF20B203D890B7F62A7AD2538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074824Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:07.559{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000074823Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:07.559{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000074822Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:07.559{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFffaeb6.TMPMD5=5DC7F12925A3AFE1350E22C4D18895D4,SHA256=C9B1BF1A545F85BBFF7598EC849E260DBCB3503CF53B1AC3CC4FEE256B700E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074821Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:07.046{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-271MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074820Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:07.025{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5CB4B6C9009F3ABD818A352F4E8FA1,SHA256=F1B61E05383A6E1A1FFEEF6D8D551DA60B1DAC7F5B05D5C4F85CE6DB51730B60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074828Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:08.506{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074827Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:08.506{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000074826Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:08.060{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-272MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074825Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:08.043{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C291E6FFDA92F0F9C6779100F95595,SHA256=3004B8DC7ED85ECEE9A7FD759DDD8A380D68A6E64402A9CEF940EDB2CF348D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054523Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:06.604{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054522Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:08.006{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4D522CF98765E78CE61F0D6C4CB215,SHA256=4B46765774CEB9B200D75176A2E564E3C83BEE0812C947A250F26FB1F84E02DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074829Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:09.059{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC23A2BCB1A713521E6E6B0274288DB7,SHA256=39CDEF744DFAE9F68AA753E085F95E529B3662F07DC233E4CE981D212E47AAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054524Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:09.037{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AA7826BBEC00CD13C9A961D07E2CC7,SHA256=A0254DDB8298F5573176D5AC8AE15A84E66B4B8099DD36DF8BD37965B57464AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074830Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:10.089{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E16A0392663CCC9F21F47C9F898F5E,SHA256=B625A5A73F5F34B05B1FD87B9C8A0E10FA978F0B7EBED7CA67FD049234D31088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054525Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:10.053{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F43DC05F31C95819A3057B8E876F60,SHA256=498A4D0D138EDAE7FC08E6E0F55E11D3A92626DBE132DAE10D905C3265218F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074831Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:11.121{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488B1A693E3E02ABB5822C9A25EAC079,SHA256=6F992F0F84F28D157E70CF1C0CFF124F142E559E80907F0F2D87058F9DA0E5FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054536Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.928{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D027-611B-690B-00000000F101}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054535Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.928{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054534Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.928{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054533Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.928{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054532Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.928{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D027-611B-690B-00000000F101}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054531Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.928{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054530Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.928{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D027-611B-690B-00000000F101}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054529Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.929{8A88D375-D027-611B-690B-00000000F101}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054528Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.662{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0F1976DC5F63C74659D956AE6325CD9A,SHA256=94676C74167790F075E7D1DEB544B45A23DFE6BF1A6C0CBF4A418AA3EC0658EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054527Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.662{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5E9C885B108F8AFC704C435B00E1DFFC,SHA256=7E9136F64CCD2DF7C24BF2456E519C8667DE7F39070E18527495C21C307196B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054526Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.100{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C500A379B4E79E97FB1DE61207A5465,SHA256=90F37ADA59ECD36D9A1E56F177BD7DC830963751E19731942CEDC946AAF7D221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054546Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.865{8A88D375-D028-611B-6A0B-00000000F101}41485040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054545Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.631{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D028-611B-6A0B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054544Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.631{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054543Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.631{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054542Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.631{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054541Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.631{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054540Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.631{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D028-611B-6A0B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054539Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.631{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D028-611B-6A0B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054538Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.632{8A88D375-D028-611B-6A0B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054537Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:12.147{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D916AEDDBF5F0D902CF78B4B2B9564,SHA256=8074CAB171C2AD19629187593A9DCB9DDF8C177551F4AFC2E5C87E3304FC7CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074832Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:12.139{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98566ED239963870B715CCC00588D095,SHA256=336361905470E40C8C75A52F75113D02F7A5E0A70CCBC317CC24EC2D98D34D51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054565Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:11.652{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000054564Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.802{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D029-611B-6C0B-00000000F101}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054563Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.802{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054562Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.802{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054561Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.802{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054560Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.802{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054559Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.802{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D029-611B-6C0B-00000000F101}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054558Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.802{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D029-611B-6C0B-00000000F101}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054557Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.803{8A88D375-D029-611B-6C0B-00000000F101}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054556Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.444{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5F95D0AC0A18496FC8D62C4F31C65068,SHA256=C27CDC59B6985854F0B35D69B375309E384B7071C64D8CF5A92CF6F5B97EDBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054555Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.162{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD31B986F14FC56F1D95785DAEE86CC6,SHA256=AC6BA94138EE4A7286558C9A1BDFB2D7D4B9237742777F15560EF8686C7E99F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074834Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:13.154{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18C2A497CA3C5604BAD6ABE1F4BA030,SHA256=0F4FACC32891B99BBD002A1310A763C7AE357E5C7C60DED792C2A83A7625CE8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054554Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.131{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D029-611B-6B0B-00000000F101}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054553Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.131{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054552Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.131{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054551Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.131{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054550Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.131{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054549Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.131{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D029-611B-6B0B-00000000F101}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054548Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.131{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D029-611B-6B0B-00000000F101}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054547Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:13.132{8A88D375-D029-611B-6B0B-00000000F101}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000074833Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:10.200{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56349-false10.0.1.12-8000- 23542300x800000000000000074835Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:14.168{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E3383E5225637F33061BCDF8DA8754,SHA256=684718CC457FC69CA358575BD61B0BAAC95C4FA62050B5BB57C674CB050B09B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054567Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:14.192{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1DB71C183D06BC6E1D3EABDD588283,SHA256=BC52BD245E9C7C61B082DB7CC9862EF9083BD6A88D4FA5C105EF83BE1E7DDD91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054566Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:14.052{8A88D375-D029-611B-6C0B-00000000F101}56803672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000074836Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:15.198{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AA3E0A223E4CBD29251502B537C3B6,SHA256=BA1E82C03D8E27DD5B2E3D44C0212F3FDD13AE814A780FF8B474B2F40BC248EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054577Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.911{8A88D375-D02B-611B-6D0B-00000000F101}55762776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054576Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.724{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D02B-611B-6D0B-00000000F101}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054575Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.724{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054574Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.724{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054573Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.724{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054572Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.724{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054571Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.724{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D02B-611B-6D0B-00000000F101}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054570Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.724{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D02B-611B-6D0B-00000000F101}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054569Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.725{8A88D375-D02B-611B-6D0B-00000000F101}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054568Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:15.239{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC5A050DCE402D3B17B9F0E68C51FE1,SHA256=FA32924DB0D36A00170489F4A9739336B0C444515B0DC121A86CE3316AA39C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074837Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:16.217{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A582E3E8F6EA8038698A978FD4AB64B5,SHA256=4DFE02C0B7CC55CAF1B28A927E6D3A85C1B96D1D0CECA679B63021A6DAD3C853,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054594Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.896{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D02C-611B-6F0B-00000000F101}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054593Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.896{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054592Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.896{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054591Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.896{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054590Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.896{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054589Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.896{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D02C-611B-6F0B-00000000F101}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054588Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.896{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D02C-611B-6F0B-00000000F101}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054587Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.897{8A88D375-D02C-611B-6F0B-00000000F101}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054586Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.396{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D02C-611B-6E0B-00000000F101}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054585Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.396{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054584Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.396{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054583Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.396{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054582Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.396{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054581Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.396{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D02C-611B-6E0B-00000000F101}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054580Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.396{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D02C-611B-6E0B-00000000F101}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054579Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.396{8A88D375-D02C-611B-6E0B-00000000F101}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054578Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:16.302{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90998AFF2BA5A3012F05A21CACD77BB6,SHA256=1F95C91EC598E126AAAF6ED210F97D74C9BEB2B30C0CE16FFF87AE6A44745CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054596Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:17.536{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EF05920FAA71155BC4A340F74B09E2,SHA256=2524E370C37D31822A06F93E93D778FDF770A0B7A1F7D00F963B203E250EA5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074840Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:17.848{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE176543C44EB978E885EB77DAFCB769,SHA256=6EBBA66AD6A7EEC95216D6C43A3ECFEC7B50346D4BECEB614F010FAFA2EA575A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074839Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:17.848{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1182936DAC3C905632D409545A6CE5AF,SHA256=B10E4A104824FC69A4EA61D2027809D6AF65731D32E2733470718A823329C1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074838Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:17.233{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C86540B2E75A25B05A4C76D11F2D16,SHA256=0D6398D9DD9E713A7EE2CE91E3F57093BA65D779DC475984DB58FE2F60806F21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054595Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:17.146{8A88D375-D02C-611B-6F0B-00000000F101}5392600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000054598Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:18.567{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054597Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:18.552{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3F5A1DA2482BA18E2BB9766DB2EDF1,SHA256=D04A2DADFAE1CE7B0990E36C7B755FA229456645AB0221BC0F39B62CB8BE5EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074842Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:16.178{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56350-false10.0.1.12-8000- 23542300x800000000000000074841Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:18.263{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13513C4C2B3D7E2E2D1F79DC01CFB45,SHA256=10E115491B7F77C88EE8F95F6A093F0F331A019F9C5EAB230912CDF944649C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054599Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:19.599{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4BBD2202B664655CAFF00DFE34FB4A,SHA256=9195B82FE78F02AF7E6340293DCAB64C1245753A21FDB5713E79A9F7483246A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074851Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.446{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D02F-611B-5C0D-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074850Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.446{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074849Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.446{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074848Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.446{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074847Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.446{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074846Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.446{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D02F-611B-5C0D-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074845Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.446{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D02F-611B-5C0D-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074844Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.447{2F630BB9-D02F-611B-5C0D-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000074843Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:19.293{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F78B09B2340C3D01625DEE1A0A1AF9F,SHA256=0BA1515460678545124CB13E7F4592524087953F613A2E3ED92239E6FB4259AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054602Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:20.614{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F193B9580706F1FBE14902366B04EF4,SHA256=9E39F7E6DFF3862092863DBE1753A89E0A5E816AC5B5B1F2A2A85BF50B3EE249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074869Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.760{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D030-611B-5E0D-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074868Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.760{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074867Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.760{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074866Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.760{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074865Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.760{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074864Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.760{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D030-611B-5E0D-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074863Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.760{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D030-611B-5E0D-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074862Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.762{2F630BB9-D030-611B-5E0D-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000074861Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.314{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9B4051548602AAEFA1B395DDEF4937,SHA256=9A5BD08FE349A00614AE40E6FE8473CFE31BB10FC0B7C9422C08BEC10C0A9BBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054601Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:18.056{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000054600Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:17.603{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000074860Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.276{2F630BB9-D030-611B-5D0D-00000000F001}46965112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074859Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.129{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D030-611B-5D0D-00000000F001}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074858Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.129{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074857Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.129{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074856Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.129{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074855Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.129{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074854Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.129{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D030-611B-5D0D-00000000F001}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074853Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.129{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D030-611B-5D0D-00000000F001}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074852Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:20.130{2F630BB9-D030-611B-5D0D-00000000F001}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054603Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:21.630{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975BD89E9315ECC8AE8E14189E9C3741,SHA256=FB7B766811C5DDD996063A4805BD86463D348F72F4E57AF9B82D5FC41C71C4FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074879Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.528{2F630BB9-D031-611B-5F0D-00000000F001}74405380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074878Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.375{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D031-611B-5F0D-00000000F001}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074877Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.375{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074876Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.375{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074875Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.375{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074874Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.375{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074873Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.375{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D031-611B-5F0D-00000000F001}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074872Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.375{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D031-611B-5F0D-00000000F001}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074871Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.376{2F630BB9-D031-611B-5F0D-00000000F001}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000074870Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.328{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCCB78AED6B7126F2D8626DC99592EA,SHA256=C045774DB4CDB78F88751941024FD87FBEE392D66734169F272ECBD1E1A7D86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054604Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:22.724{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498F743ECB69B7E344D15F9E7570F626,SHA256=9F721438560AE29DABE4FBB56B236C6900FEC1F3C0696B1E6B99F6AE9B829D9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074898Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.876{2F630BB9-D032-611B-610D-00000000F001}35844580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074897Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.729{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D032-611B-610D-00000000F001}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074896Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.729{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074895Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.729{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074894Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.729{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074893Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.729{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074892Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.729{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D032-611B-610D-00000000F001}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074891Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.729{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D032-611B-610D-00000000F001}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074890Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.730{2F630BB9-D032-611B-610D-00000000F001}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000074889Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.343{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405BA4EF30778795BEF916B73677BDC1,SHA256=02542C43C618E59F478248F2249D02B58215DC9E74332EC90DEFF92A98E274AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074888Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.211{2F630BB9-D032-611B-600D-00000000F001}79845832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074887Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.059{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D032-611B-600D-00000000F001}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074886Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.059{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074885Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.059{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074884Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.059{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074883Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.059{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074882Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.059{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D032-611B-600D-00000000F001}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074881Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.059{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D032-611B-600D-00000000F001}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074880Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:22.059{2F630BB9-D032-611B-600D-00000000F001}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054605Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:23.786{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76581D60CCC604744FA43CAA67E40088,SHA256=148F8569195819D9CF4109152A796CB076289C5AC22AF5CE4A81A6BAEF35E5FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074900Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:21.187{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56351-false10.0.1.12-8000- 23542300x800000000000000074899Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:23.360{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53827BB72B5941B2ED4D61472047A5E1,SHA256=AB48498F6459DF2C416CF7B1EC429CAAB630FBFD6DCA9FE6B110D4F0A959DA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054606Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:24.817{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC495EC4E7DB3EB98C19FC342372D62D,SHA256=91F4967F0E0B5C326148F24DD86E027D94FE1563AA561BA22BD081430D13F15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074901Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:24.376{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20369D40CE665BECC31F33DA72C19AD,SHA256=3580B2E2537DFF0C8663DA05AE57ACF5F4D50D77AFB39CBE4BF8EDC5DEA4A55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054607Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:25.833{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8264416BF0831191A72E79FAC95B80,SHA256=E7D13F09CE9076921CF1BE007C266980842542F7482E259605659470B2578F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074910Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.390{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7A7807EDF611437A44CE39F99391A5,SHA256=6A4BDA1607737EE60A49B8BE10FFB612002C1945E8050B9101C867135523226B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074909Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.228{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D035-611B-620D-00000000F001}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074908Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.228{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074907Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.228{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074906Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.228{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074905Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.228{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074904Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.228{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D035-611B-620D-00000000F001}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074903Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.228{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D035-611B-620D-00000000F001}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074902Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:25.229{2F630BB9-D035-611B-620D-00000000F001}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054609Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:26.849{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC3537502ADC2C5C93100A40E3F2E15,SHA256=8C6C4FECE8B529AB4A6E79B8AC9B8D2930AAEE2C6AECB7111F94F5B27B97CA5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074913Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:23.888{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56352-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000074912Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:23.888{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56352-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000074911Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:26.407{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65372E4CD2DFD6C1FE0A32CFE7D1352F,SHA256=CE59863A65269CBC62C58874A1D05316348BAF301FADE1D7B76172CC418E8753,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054608Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:23.540{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054610Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:27.864{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C2A5DAC814D2D0C32E070A7CE06ADF,SHA256=1AD77B5060DD32F9D2A13C69C31863EBE3B48A5FB2EFC1FEA66E4CDD7A1F92C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074914Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:27.426{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF97714F92E1CDE2B9E5BA20C4E02B1D,SHA256=DC5C21B46F6301F9BA5B6BA9C8D2A6E2EF17F50FE674AA79ED7FDDA0B7FE429C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054611Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:28.880{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C790406E02DACF6D44A8FA361D47A99,SHA256=221A73621701C87AACBEECBB70A1B22F85F908466E5ABA17D832F1944478C2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074915Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:28.488{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40291EFD9E8920580381B14F0C2AC267,SHA256=8E9791A20B5F7D3BA136C0BD9AF46AF731834764BA93A33A37E4A909439466BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054612Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:29.895{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20F398974888B1E9C73136843DA6740,SHA256=3B59849DE3F01679873F86777C46C62804A2AE45FC5BADD2EA034393AA59A7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074917Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:29.507{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E246A574D09045B99228C1525B308288,SHA256=98AB78762DA138C4076B4177CB33A5A604743A5C1FAA7EAA2FBED7A351834ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074916Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:26.348{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56353-false10.0.1.12-8000- 23542300x800000000000000054613Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:30.911{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FD11CC2CC4B159B524F0F1F1B28DD5,SHA256=38A04665A651631586A90C0E89BBAAB8DF6D950798231801C6A69CF220968419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074918Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:30.524{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77F6E05C2CD3AEE8D4B22536E4D2044,SHA256=EA6C47C00C3D75437095EFED460BEAEB28EA2FCFFD839FAA3D15239C1E58391A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054615Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:31.911{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5918D9A5B417134E862629E2C75A546,SHA256=134D540ED11B95661F1D94495F9FC3497652AE4816D0C1CF9D0055AFD202AC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074919Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:31.554{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74386D4CC770A845089AE7850276C0C,SHA256=C25B2FCBC648EE99011156C21DF71819C6518DD05E70DFAB68D9BAD08DDF2792,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054614Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:29.556{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054616Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:32.927{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E078803605A2B38AE8F21C33049F4AC5,SHA256=7960831F7B56FC5A03EB572248A43E5300566A8E4B6D3A80D96BBC24754BA7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074920Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:32.569{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B7CCF3D91050646138CFDC638D605E,SHA256=04D9C070E4019D2E5AABFC1E6689A6DE7361BA49209A181D5A2D6A438867DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054617Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:33.989{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A64AC48B0832FB1517BC357DF184CD,SHA256=FEF7AD9DA445A6326C622E825C9AE8E56491B763F53C216B5D219471368E66EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074921Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:33.584{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF935AB7DEEF3F1EB710E7093E39A064,SHA256=5D112E052B5BD6B1D2C6E9D9391F8A1E078126FF8D8FB99B9A1F2B33DB9333CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074923Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:34.602{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F7A0AFBDFF83D318D7D7E56F679E2E,SHA256=4AA966FCE69EBB4F5A0180013F9177BBB65E19F519FC07B359AE6A294EEC6B33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074922Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:32.328{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56354-false10.0.1.12-8000- 23542300x800000000000000074924Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:35.620{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5603CDDE87E87AABF6661C65DDE44845,SHA256=47A27F582AD36BFAB04B03CB3EDA54F4406C14B8BCDDAD5F4D0BED29881476A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054618Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:35.004{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8920F4F4D93D582955CC9E1B1A295DBF,SHA256=E834CC8513F80A6D04304BD06DA1677202529DC65C4E9D7893BFC76971A1AAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074925Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:36.650{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AF2D5774702D09004BB56037952122,SHA256=8DB17E3282D2BE0FEAD27830208F5697868DBC9C9B9E84D8085379DF15ED5E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054619Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:36.035{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0354EB583CDD025CD886BBF7702EEA9D,SHA256=0387CE5A21F256A03A32F3273B552BEB5B49323C882356DF1F9C47376337AA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074926Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:37.680{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B026E60590DC98AC83790636BC755957,SHA256=95C3009017916698C37ED14F6F2E7CE33841870508B6B8AAD73D6B4D72700D6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054621Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:34.633{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054620Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:37.098{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB78DC657B08FC767D047EBC7B74C1C3,SHA256=E3A090A55F3FA70EC8FE1BC05CF0EF552B0F593082B262EA5B81B458F8841E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074927Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:38.698{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350467BD2E08C762EF965B491F50D236,SHA256=4651585CBA22F9557FDE02C3DA19EF8EF6C740A26DB9556E39CFB72C4D6EA2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054622Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:38.113{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22526BBAF268A6B7FF52998890155A69,SHA256=8D545062CB41DD0F48927EAFAA659FBF9DB16A3F1418B762414AA9B6C8B87DE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074929Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:37.376{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56355-false10.0.1.12-8000- 23542300x800000000000000074928Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:39.715{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D58856D79F13ABA54399BE6ACC741D,SHA256=BED5F99974C59FB657E4E979618174E596CCE40916A3A0614E98F7F8C973E626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054623Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:39.144{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3234126EF86D4F0A8021773EC07A007,SHA256=B25FDB22611DF89E9171636023C948CD89FC37864E1834184A507FF615D7A957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074930Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:40.746{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566AB3D6F70BC6DC9D59832A5881F147,SHA256=3020AEC6D6629526E30DD8A83D458E8223755AAA7547C14C27499BDE62C77141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054624Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:40.160{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8993F9C579EBDFFB03087844A9F56FD1,SHA256=6D4377A4F5356E446E82E46E7FCB778568E86C9276C017AA229B2DCE213D0141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074931Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:41.776{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AA603CBFE63E7539CC547D86B05585,SHA256=8D69DC1B3D3793716C99EB287B975B3CDDBB22F229D54683842DC24FC9E49FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054625Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:41.176{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF1E147302C07D98B918A3D19FAE219,SHA256=1A5B1CB17FE7586A6248A2DB5119A48C32B5BDE5ACA5E9547949DECB0959625A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074932Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:42.793{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F917E5858423EA2E9A459832A6FF2E10,SHA256=CDA7A51F0DF47CA0D78FBB9476391A5F5B7946A15332059116F2C727EB850AF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054627Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:39.742{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054626Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:42.207{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5780DA8ED21C21C81FB84AFEB6D812,SHA256=86F3040517BE6361EF786338664692E92C4509C90ADEFEA0DDDFE78597C4B6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074933Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:43.811{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E29CCC0AEA3455EDFD3E5784FA69D41,SHA256=4BF2541654AEE9493DBCA91590D31A45276B9E5242DCDE8C4B28807AB2782DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054628Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:43.254{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C732EA64D3EF42743B43D3C0C76F588B,SHA256=6A6C0DF2FF858A759759A7666D796A4FF6D4E7C3716794296A2CDAA9BACD383D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074934Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:44.826{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901896A00B2DDAD93166999165230CEF,SHA256=C4D4E72ECA4FBBFF8A32C7C090A3CA9227C93E362BADB159DB6F6A59215DB6C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054629Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:44.269{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3209980F27564648D5376149654C37,SHA256=1E6FEB65171BA39D05AC8E9CE04B6639176445D8D25007C2EB86961C5D0E0A29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074936Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:43.336{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56356-false10.0.1.12-8000- 23542300x800000000000000074935Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:45.840{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0556A51A9A80191127B2F839AE6C490A,SHA256=74996EA5316FADDBCEC2F845F24E5B67E2E747B7211708C4E410DA6FA361DA94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054630Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:45.301{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9D227928EC85EF5A3FFB28DC8B5FF1,SHA256=C742F116FB5608FBA322551AF755BA0C7477D1AFA5917664F882D54DAF3DC021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074937Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:46.855{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434E9CA6D7933B1409A5A0381CA8295C,SHA256=0A5B43013FF443A2E2950523F693A54AAC0FC65725C51DFC02ED30DEB6902FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054631Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:46.316{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2F14878C8D0A820B74EBE2C4AF4F09,SHA256=EF1A705B6C828456A02DECC3CE1A81562567FBB9D2B9785383C7C1865B5A98AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074938Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:47.869{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10338943E550AEA4C8B920BD45D3C903,SHA256=524D3467761C9C059C658E497B08B7F805012E45807481A0D7FAC74C908E517E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054633Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:45.524{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054632Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:47.332{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A031A29E2F43512F377445A24094C631,SHA256=72EFCB442F10930D3AA93D38FDA2A76BE9BA49A528FEDBED9D9A1FF88CBC1FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074940Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:48.937{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074939Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:48.922{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F992F5F6E21CDACD40A0D3ABE2FDBB2,SHA256=E69A4DA33C4745F74947F110EF0E84349274F69455DA434CACE1EF7778C702DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054634Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:48.348{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF755786BBDD4C9E24953A472648FD0,SHA256=0A2AECAA10EA32A5392A25735300F3E1AC3F0A68BB552AB7082F6E684F84FC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074941Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:49.936{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F45D0B08DBEFEEA5ACC1003571659D,SHA256=373D650DC583E23A31D9FD13C42FB537D8AF077EE6AE8D46304116C48A2FBDDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054635Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:49.363{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E373916573FF06AC7C450F01F1B3168,SHA256=9114D06F0BEBBE1BEA30250516B31CF7B2D7053F42A10405A207BEB3CA3B1CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074942Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:50.951{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E2861BE0F080478576FE854FE6AF32,SHA256=14FB77D52744B98E9BB129FB933649743AEBAB8A9E69767DD30450D5E06E3D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054636Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:50.410{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4429F7D0E472DA4AE3C0AD8536865F,SHA256=6F9BEB591271C2BFF240673A302E443532714357938997ECB18D2E421904EBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074945Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:51.965{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4997D12F2FB6C2699EDA6F942B7D82,SHA256=8D49F1752AFB28728BA682DC1DD54A2D85D04AF5981A1C3CFBD725EE91EA2316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054637Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:51.457{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1890B5C012A3816FAD7A6794BA220A11,SHA256=4E7B61C3677D0DD3C4B5CE8A2B33B9790054494316ABB2EA9A6A69A1DB63EAC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074944Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:48.396{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56358-false10.0.1.12-8000- 354300x800000000000000074943Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:48.066{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56357-false10.0.1.12-8089- 23542300x800000000000000074946Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:52.982{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85080245D7F51BE50E7A4EC1CEE488FC,SHA256=DB1466C94C9482F80A2AA93EE3E9ABFCD57D3A1BB53BC40F138A8493458FC3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054638Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:52.472{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EC7452895B9DC99E691D1DA7B5FF45,SHA256=FBC649F8BA1E2391C4CFC4B84BFD4AFAF689E28486B9349EFBD160F6FEE7E899,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054640Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:51.539{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054639Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:53.490{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42693609B96BC9B0D2C93F93C08536DB,SHA256=CBDADDF42D1EE1A1A3C45D3D28DDC1BA4A57E27BA3E8C45856240AAF164071D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054641Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:54.537{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4440638E8C24481D763528AD67B607FC,SHA256=F88DFE358A055193F6A6E3A4BB272BF89EB3C0C0EBB7A6BA01ACB1977CF86600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074947Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:54.000{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BBDC784F7885F65CC0B804B4DC43CB,SHA256=A73519402689683AF9C23ABD79B65D81F1E30E4FD47874A960564B030047E2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054642Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:55.552{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040044D4BAC248AC70FB134517E2E055,SHA256=E2115FFE8837A0B75A85527E887525E9C859776FEBD4BB50F6EE24B4490A7119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074948Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:55.031{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BE64346F3934BA7478E7303065370B,SHA256=5A2BD005A480E30BDF8E82822EA54DD5A1C16B4FAD31D12FCC43E6097BFBFDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054643Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:56.568{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0281F74D15732E34DEB4D2F5A9C795B1,SHA256=FF4623C312B74786C69FBE406CC8FC22B9667F0069BA7DB4A4824F8315210A9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074952Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:56.531{2F630BB9-8EB3-611B-1600-00000000F001}13045092C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074951Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:56.531{2F630BB9-8EB3-611B-1600-00000000F001}13045092C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000074950Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:54.174{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56359-false10.0.1.12-8000- 23542300x800000000000000074949Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:56.062{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CD981EC4EA23687EAA4C9366CC0105,SHA256=7BC625537C8E258404315AB86BC2DA6E3FBD7F79C455E4DBAAB691197E52E82C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054644Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:57.584{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7CCFD0585736A36DD51CB44FBE6399,SHA256=EBDFE74963B9DD3EFE5336D16CA872334D0F4D8C76FAE2176C63E7FC076038ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074953Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:57.080{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7291DC7EA76F3B47DA15F16E97898EF5,SHA256=3578CB26182D43A7CF839D2500FA9348D6DB7828403AFCADD3F20A52D59492E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054646Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:58.619{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D650637EA785FFD23467B529BB504E4,SHA256=94FB82FD00B261BE5B8FB2A3787CD827551E913D8A5E8A1560E3A9537FBA9643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074955Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:58.614{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BCDED387436C82CB33CDD76C5C51A434,SHA256=7763FE6F4029C248AD7F1BF2C62420E5290738D2261B9231F16A8C20971D6F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074954Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:58.098{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB61CBAA77E56DD0E1FC832F5399AA8D,SHA256=29B83A03BB91E7826C97D0F0FEDBA0DD52D14847B63A592C487D01CED52F1896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054645Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:58.261{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-264MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054649Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:59.634{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC080382791B410BC6945F70DC7020C6,SHA256=071AB4FD0EF5EC6E0C8D4F633D1AB60F32DA8F634E80EFA20872E072DD0F016C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074956Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:59.113{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BC418CDF7107C70EF0155A1F9475BD,SHA256=B405E8BAE59185671EF270C7A96378246294F66ED8840769A2368F581DE663B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054648Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:59.261{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-265MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054647Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:05:56.557{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054650Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:00.636{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C681B69AA22947D2AFC5CF33B02D009,SHA256=39C3DE80FAE80A6393764185D99D55CC7E9C0C495BFF63F3CE8C124F5CF73E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074957Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:00.128{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B35D58557481BE7560003E413BF62B8,SHA256=FD4FE6D2F7457AC584629892E261B06F00219E38DAF1F2EE6728B6D4173CDF0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054651Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:01.652{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578E54EF3F009510D7AABE5FD0CC21C9,SHA256=FFB2C91CF89325FD9C290B822F3AB45D5EFAFF24EAE9E3FD0260CD9C3CC21BE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074959Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:05:59.403{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56360-false10.0.1.12-8000- 23542300x800000000000000074958Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:01.142{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E6E3F07B1C6328DD0727F779F61E0C,SHA256=A07706357D441669CD9ECF8DAF65FB13E9ABEF68FFE7AF4F0CF48D8A316A2042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054652Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:02.683{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695FF2E4DCD789CA0C665809D0602098,SHA256=8E90CBE84B82F89DB4403AD82EC100E278B7E708532A6F544B967405F56776D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074960Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:02.157{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC006E2A0748AF49BDBAE5D735D6377,SHA256=EA370727FFBB119AFA3BE354D2D80EEA27341B97984F1289BB13962EB8A64059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054653Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:03.761{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983465496EBD1CAD0ADEBE8123B5ED79,SHA256=51BFB5A791ED8188D7E9B0397F92AA16CBA804DED0CC665B7D499EC866C331BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074961Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:03.193{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF0A1D62443512587F15B8F8DAD6E02,SHA256=E860CB92CB11568A7E57D57ED977C6C0CC6779841192E7C6D9B69A661DD6AB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054655Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:04.808{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36F69B683730849857B0BD559A4AAF8,SHA256=64911A25DC20FF6073F6A255728F8B6779A5402CBAB6731BBB60F1A54E65158E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074962Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:04.223{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21B17ABB0EC9E6D60024978DF2C3103,SHA256=EB4024F67475C7EBD7FFB021913BDA5597BC714D87157FB45B6E13B2072A3A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054654Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:01.734{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054656Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:05.840{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96D3318C8CE2F5238469EDC2B36F7E8,SHA256=93CBA8390B735062995FE5651775C694E8ECFBC4A0FFFCEC7A161E2BD0B64F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074963Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:05.253{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D88552B6BAEF1FC74A5A3CF0AAF4804,SHA256=349D8A8F48D1667032EDEC18261260416A57CBE4B4843B45EE2796CBB201A48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054657Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:06.886{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847161E634001C9064DDDFC11E98C8FF,SHA256=57046BD3DE1F81FDA9354751E2F04D40BE3EFEE11873E792081E8C43B898A89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074964Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:06.270{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F7684DAAAF971B7E32A8A18BA4EA25,SHA256=046D492EB052A34B51031239A957FCE183694309752244AD94BE01BB21B819FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054658Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:07.902{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FDF201B0E65384D37AE341CB357C6F,SHA256=E362EBDD0B9A62B761E9B2CE5A291B0DF2C3653F597CA8ACE14DECF510E7C296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000074966Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:05.312{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56361-false10.0.1.12-8000- 23542300x800000000000000074965Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:07.288{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A05A7590E753632977C17704F85707,SHA256=80BE57F558BB42FB71503DEF0D021364D20ACB15173AD20CF318313EBE247F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054659Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:08.933{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0B07FA749DA0759E7FDCC125DD31EE,SHA256=237294FA4F2DB3FFF317D9CB891FDCA148BC6BEE177F22EAEC61CD883F6FCC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074968Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:08.589{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-272MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074967Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:08.319{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204A11FACFB5B35EAF1E42009CD92CE5,SHA256=92E7ADBA022125B6D31442E856E7C83F93476C2F8433382D2A8156FD66CB5C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054660Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:09.949{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F3C947D0C01CD0199A4EA260A8EE4C,SHA256=AB797B710966FA37F92A6813C8390B3B7F37B1C6AB58FA7749827604A79925E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074970Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:09.603{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-273MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074969Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:09.333{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837E7398C83315BD38D51AEAC516871F,SHA256=57A6FEF4E180E62E6A3FF4613A86540FBC37B155FD4DF0D79442E9BB04066D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054661Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:10.965{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684772C25511E6E1EFE60723A5A08EAC,SHA256=954CEE436A56FCFC2BB62AF35B3AC5C1908C12D8D3F5C3CCD57BCDA919606FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074971Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:10.348{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D1A1ACEE289C1A2A5820C8E5E32AD8,SHA256=DF73EBDF728CF550B06D65742D4CEA60236F1F1190FC498E777AD7E702412E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074972Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:11.367{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF1A1ACA4DB0AA58BE4833111A7425A,SHA256=DEB753CE4B4133E27CF039442E9446424A56DC3A85AB09D9E3F32DE7B7A3D315,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054670Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.933{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D063-611B-700B-00000000F101}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054669Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.933{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054668Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.933{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054667Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.933{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054666Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.933{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054665Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.933{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D063-611B-700B-00000000F101}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054664Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.933{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D063-611B-700B-00000000F101}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054663Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.934{8A88D375-D063-611B-700B-00000000F101}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000054662Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:07.672{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000074974Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:10.361{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56362-false10.0.1.12-8000- 23542300x800000000000000074973Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:12.385{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E8F480FFF7589F64A4076D5F48DEFA,SHA256=AC140AD0D02F3606EAA8815402CCE6EA9A674E6444150A3E589D661562395C84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054680Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.839{8A88D375-D064-611B-710B-00000000F101}6844912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054679Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.636{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D064-611B-710B-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054678Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.636{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054677Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.636{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054676Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.636{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054675Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.636{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054674Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.636{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D064-611B-710B-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054673Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.636{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D064-611B-710B-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054672Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.637{8A88D375-D064-611B-710B-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054671Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:11.996{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA4F5FA2B9BF75716E08445A9C51D77,SHA256=C4270ACA0379DFDC3D5FC241D7367DBC94BF4D018A767B771975C402BCFC78EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074975Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:13.415{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5007B3C578A63145CF6795685BEB84DB,SHA256=C0F1A5E51DAF31605CE10BDB48C47C4D6D3839D18360B9E122A800B6968DC163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054699Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.995{8A88D375-D065-611B-730B-00000000F101}44404548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054698Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.808{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D065-611B-730B-00000000F101}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054697Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.808{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054696Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.808{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054695Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.808{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054694Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.808{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054693Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.808{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D065-611B-730B-00000000F101}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054692Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.808{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D065-611B-730B-00000000F101}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054691Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.808{8A88D375-D065-611B-730B-00000000F101}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054690Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.449{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=13CC587B77DC8F9D75718485B136EF9C,SHA256=E482D5F2A8B7AEDE54AFB85DF36622ACB3AD15317E03A8579F161FA2CABC32ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054689Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.136{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D065-611B-720B-00000000F101}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054688Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.136{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054687Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.136{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054686Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.136{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054685Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.136{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054684Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.136{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D065-611B-720B-00000000F101}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054683Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.136{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D065-611B-720B-00000000F101}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054682Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.138{8A88D375-D065-611B-720B-00000000F101}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054681Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:13.011{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF132F468B00FA833AE8DB897A55EAAD,SHA256=8F73CC0E2838784E61442E7C66D10E5F3ECF5419EA6438B9BC693B36D9B7B5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074976Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:14.446{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7E0A1D609D44B9DC2EB4AFC11A73CA,SHA256=BFF3BFE7492102B308A4CB8AA40806EEC27A67DFE3886016C2F08D3A96C0BCD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054703Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:14.776{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054702Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:14.776{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054701Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:14.776{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000054700Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:14.042{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217E0A1AC4370F4AFD12A433BDF35836,SHA256=C6FFE2D636039250CA0A7D1A471B3012BB2D33016C02A3F2B702E86AAF54D0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074977Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:15.465{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B64945C629DA551E9C2D88017700B1,SHA256=E95E36317AD033089DB05C1D865EB70C1B9C51825DE122D52ED837E2BA499F33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054713Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.729{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D067-611B-740B-00000000F101}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054712Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.729{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054711Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.729{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054710Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.729{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054709Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.729{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054708Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.729{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D067-611B-740B-00000000F101}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054707Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.729{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D067-611B-740B-00000000F101}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054706Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.730{8A88D375-D067-611B-740B-00000000F101}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000054705Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:12.703{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054704Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:15.104{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A00934C44E96E3E40FC9A51D2DC2C37,SHA256=1D3E822DBC4F74B59638E952654C08CB5CCB23D2DBA9B9A9C00FF5460F02A523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000074978Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:16.512{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD1F6B897193491182A3A2E56A04FF6,SHA256=080214E18A0399DA5904B97DF09DE4AA518747DBF87F5C49914CF1EB7E08EC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054731Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.901{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D068-611B-760B-00000000F101}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054730Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.901{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054729Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.901{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054728Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.901{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054727Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.901{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054726Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.901{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D068-611B-760B-00000000F101}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054725Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.901{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D068-611B-760B-00000000F101}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054724Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.902{8A88D375-D068-611B-760B-00000000F101}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054723Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.417{8A88D375-D068-611B-750B-00000000F101}17604824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000054722Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.229{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899B4959C8D7EA45EC10338F2BDAE12B,SHA256=C36C955A65A629AD6BD3A4E4A4A4A1B3E8B0AF402F98CDECA43B9F86C87889F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054721Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.229{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D068-611B-750B-00000000F101}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054720Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.229{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054719Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.229{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054718Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.229{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054717Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.229{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054716Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.229{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D068-611B-750B-00000000F101}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054715Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.229{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D068-611B-750B-00000000F101}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054714Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:16.230{8A88D375-D068-611B-750B-00000000F101}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000074979Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:17.527{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99951D062E81872E734116B5FBFC0B25,SHA256=22C7E6E4EE6BC0F2EBAB873E18B6547969D8B3486CD44F0A6DFBA29146914E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054733Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:17.261{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E217957021A6078CDFA24585E206D603,SHA256=BD2D0E375A35DAA18C77D6DF2A7D4A12A772F656A4FAAE04C12A94F187CE3DEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054732Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:17.120{8A88D375-D068-611B-760B-00000000F101}59644044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000074981Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:16.224{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56363-false10.0.1.12-8000- 23542300x800000000000000074980Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:18.542{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095F810D7759D39ED4C20903757BBF67,SHA256=F9B28A4D7C1356EE11016D78CB1CCC5C19BDFD4FEAA18A3B3E77D8DD5692EE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054735Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:18.589{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054734Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:18.292{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21561EEEC521DFECDA2F09D65CFB841B,SHA256=6EEADD02A54F0522D333C2FC544ABCCEF050C40226533472757D50186193BA65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074991Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.609{2F630BB9-D06B-611B-630D-00000000F001}50202372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000074990Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.562{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8522CA6F12E3B95607DB7A858B091F0F,SHA256=97CDE04FE5179BB612A37F4C2140925A67BEC420565B78AB64AFDD7BC27FB862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054736Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:19.323{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D5C0C9D1569660FE897B9F15648489,SHA256=6BDEAF921DC27B8AA2C299BB714B585565CF30019A7186119B2B6323336BB5F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074989Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.441{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D06B-611B-630D-00000000F001}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074988Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.441{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074987Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.441{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074986Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.441{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074985Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.441{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074984Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.441{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D06B-611B-630D-00000000F001}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074983Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.441{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D06B-611B-630D-00000000F001}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074982Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:19.441{2F630BB9-D06B-611B-630D-00000000F001}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075008Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.608{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D06C-611B-650D-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075007Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.608{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075006Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.608{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075005Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.608{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075004Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.608{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075003Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.608{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D06C-611B-650D-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075002Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.608{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D06C-611B-650D-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075001Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.610{2F630BB9-D06C-611B-650D-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075000Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.577{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07839ED23FABF3EC78DF37AD6E65202A,SHA256=D783DDE2DB6BD7749F8C56BB03D87E050AE3F5E79D5620C9463F1B0E0F5F2D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054739Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:18.686{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000054738Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:18.061{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000054737Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:20.354{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83F0D81009FC510EBCD528575CB34A1,SHA256=8A2B46EFA4014659B159281CFC967B042E052A94712B4E9E29C28560B041BF73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000074999Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.009{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D06C-611B-640D-00000000F001}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074998Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.009{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074997Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.009{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074996Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.009{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074995Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.009{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074994Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.009{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D06C-611B-640D-00000000F001}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000074993Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.009{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D06C-611B-640D-00000000F001}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000074992Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:20.010{2F630BB9-D06C-611B-640D-00000000F001}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075026Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.959{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D06D-611B-670D-00000000F001}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075025Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.957{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075024Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.957{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075023Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.956{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075022Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.956{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075021Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.956{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D06D-611B-670D-00000000F001}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075020Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.956{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D06D-611B-670D-00000000F001}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075019Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.955{2F630BB9-D06D-611B-670D-00000000F001}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075018Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.592{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8B39F22D6FEE9D3F5A6C99DCEACCD0,SHA256=59D75A4F33CB151EAC0006421960B4EC395E5D530CDE360943A720F26866AE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054740Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:21.385{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4960D993D9D528792AC995B5AF4832F,SHA256=D902A9F2ACC5142A7F803EF13ED858D4B47BC10D54652233C5EC87760E4CABF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075017Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.439{2F630BB9-D06D-611B-660D-00000000F001}62244140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075016Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.292{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D06D-611B-660D-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075015Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.292{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075014Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.292{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075013Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.292{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075012Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.292{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075011Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.292{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D06D-611B-660D-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075010Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.292{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D06D-611B-660D-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075009Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:21.293{2F630BB9-D06D-611B-660D-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075037Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.821{2F630BB9-D06E-611B-680D-00000000F001}2244432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075036Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.637{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D06E-611B-680D-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075035Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.637{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D06E-611B-680D-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075034Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.637{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075033Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.637{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075032Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.637{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075031Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.637{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075030Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.637{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D06E-611B-680D-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075029Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.638{2F630BB9-D06E-611B-680D-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075028Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.606{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338D7C17928554D3CB7833A31FE160EF,SHA256=B2ECDEF5F76A0BAB7E96535AFA3DBCC007FC6E7223F1DFFE14D9DDB026F3E894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054741Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:22.401{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DC7D9C6FC9AA29F3821797AC068C91,SHA256=00E519EED1567062DA63C7CB6CE04209AB5324114C08C8357EFEB06B9DFED41A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075027Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.107{2F630BB9-D06D-611B-670D-00000000F001}60726452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075038Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.620{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E5B43458EF91FDE451445933BDD103,SHA256=0CA77060E8C5B1D42FDEC6BE9B97A93D57EF92E9F56774D1856115924D0F5DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054742Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:23.432{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7959BC439A0B71289021E078044D1F23,SHA256=D9F7BA47D8ADAC24F47F22244E417C85260D24EBC77A6ED5249A0E8D506B096C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075057Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.635{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FD2B2777D0C76AAF095ADD17988306,SHA256=1C89386C23F0BEC3932C198721986062E046C731B4AD423123D3563503DD05E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054743Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:24.464{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A1B7474801378862A53A9B2D9B3B3F,SHA256=AB323BB0D23BA57030797EE31AE950E7916B119A784CA4B600475BA846B85BE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075056Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.457{2F630BB9-8EB1-611B-0B00-00000000F001}6324720C:\Windows\system32\lsass.exe{2F630BB9-D070-611B-6A0D-00000000F001}7060c:\program files\7-zip\7z.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075055Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.457{2F630BB9-8EB1-611B-0B00-00000000F001}6324720C:\Windows\system32\lsass.exe{2F630BB9-D070-611B-6A0D-00000000F001}7060c:\program files\7-zip\7z.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075054Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.452{2F630BB9-C7A2-611B-400C-00000000F001}57564704C:\Windows\system32\conhost.exe{2F630BB9-D070-611B-6A0D-00000000F001}7060c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075053Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.451{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075052Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.451{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075051Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.451{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075050Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.436{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075049Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.436{2F630BB9-C74A-611B-FA0B-00000000F001}10763188C:\Windows\system32\csrss.exe{2F630BB9-D070-611B-6A0D-00000000F001}7060c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075048Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.436{2F630BB9-D070-611B-690D-00000000F001}66525808C:\ProgramData\chocolatey\bin\7z.exe{2F630BB9-D070-611B-6A0D-00000000F001}7060c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|UNKNOWN(00007FFF66211F3C) 154100x800000000000000075047Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.450{2F630BB9-D070-611B-6A0D-00000000F001}7060C:\Program Files\7-Zip\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exe"c:\program files\7-zip\7z.exe" a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc.7z C:\Temp\terraform_2622642.cmd -ptopsecretC:\Temp\ATTACKRANGE\Administrator{2F630BB9-C74C-611B-02A8-6A0000000000}0x6aa8022HighMD5=619F7135621B50FD1900FF24AADE1524,SHA256=344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2,IMPHASH=41C55772E303B8488EA464A0538E35D5{2F630BB9-D070-611B-690D-00000000F001}6652C:\ProgramData\chocolatey\bin\7z.exe7z a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc.7z C:\Temp\terraform_2622642.cmd -ptopsecret 10341000x800000000000000075046Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.404{2F630BB9-C7A2-611B-400C-00000000F001}57564704C:\Windows\system32\conhost.exe{2F630BB9-D070-611B-690D-00000000F001}6652C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075045Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.404{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075044Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.404{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075043Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.404{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075042Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.404{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075041Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.404{2F630BB9-C74A-611B-FA0B-00000000F001}10763188C:\Windows\system32\csrss.exe{2F630BB9-D070-611B-690D-00000000F001}6652C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075040Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.404{2F630BB9-C7A2-611B-3F0C-00000000F001}57725776C:\Windows\system32\cmd.exe{2F630BB9-D070-611B-690D-00000000F001}6652C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075039Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:24.415{2F630BB9-D070-611B-690D-00000000F001}6652C:\ProgramData\chocolatey\bin\7z.exe19.0.0.07-Zip Console - shim7-ZipIgor Pavlov7z.exe7z a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc.7z C:\Temp\terraform_2622642.cmd -ptopsecretC:\Temp\ATTACKRANGE\Administrator{2F630BB9-C74C-611B-02A8-6A0000000000}0x6aa8022HighMD5=52F8AE90DA55C6327F479C282707B659,SHA256=82A435626764FB4893A1340C465B1AE1F906E582258CE8787C0C44167634A41F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{2F630BB9-C7A2-611B-3F0C-00000000F001}5772C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000075066Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.654{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BB02791A2CA42EF8F53ED09007F3F1,SHA256=074B15942A32CDE1B52EED60D513A542E06D875338C53929BB1D8BF7EB5F8FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054746Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:25.479{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=003C6810819FB8C105EAEEB7796EAB14,SHA256=2E17D51EE95F6D8AA2E0986B8D8825D2158CB9923BCA66C77D1EF700B53F5FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054745Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:25.479{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=765B8F28C6F814F79E7C185F0BCB52C8,SHA256=A5AB75CBB44049133ED8A91F5587B153815F223F85F654EFF98F16C259503A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054744Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:25.479{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62384CC50B1A5CE8AB04EE4E4FA9C379,SHA256=9118E65771F553348C722D427163CF07A79ACF5ADA9DD5DD19E65B970C9F8F67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075065Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.103{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D071-611B-6B0D-00000000F001}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075064Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.103{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075063Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.103{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075062Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.103{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075061Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.103{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075060Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.103{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D071-611B-6B0D-00000000F001}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075059Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.103{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D071-611B-6B0D-00000000F001}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075058Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:25.105{2F630BB9-D071-611B-6B0D-00000000F001}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075077Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:26.670{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA23A289CAFEAEA82CA11B31449595F,SHA256=2FF501B04255500527F912FF4FAC053EC7A6B547C782978BB98FB89BC07281EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054755Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:26.526{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF3836564598DB8FABDD0162135912D,SHA256=0E9723D4E41700ABE5617E53FBB53896F318FEE9828F1E522E893B861632074C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075076Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.895{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56369-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000075075Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.895{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56369-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000075074Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.632{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53053-false10.0.1.14win-dc-86.attackrange.local49676- 354300x800000000000000075073Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.631{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53052-false10.0.1.14win-dc-86.attackrange.local49676- 354300x800000000000000075072Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.630{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56368-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000075071Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.629{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56367-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000075070Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.628{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56366-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000075069Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.611{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53051-false10.0.1.14win-dc-86.attackrange.local49676- 354300x800000000000000075068Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:23.607{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56365-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000075067Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:22.249{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56364-false10.0.1.12-8000- 354300x800000000000000054754Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:24.561{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000054753Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:23.972{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53053-false10.0.1.14-49676- 354300x800000000000000054752Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:23.972{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53052-false10.0.1.14-49676- 354300x800000000000000054751Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:23.970{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14-56368-false10.0.1.15win-host-316.attackrange.local445microsoft-ds 354300x800000000000000054750Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:23.970{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14-56367-false10.0.1.15win-host-316.attackrange.local445microsoft-ds 354300x800000000000000054749Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:23.969{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14-56366-false10.0.1.15win-host-316.attackrange.local445microsoft-ds 354300x800000000000000054748Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:23.951{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53051-false10.0.1.14-49676- 354300x800000000000000054747Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:23.948{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14-56365-false10.0.1.15win-host-316.attackrange.local445microsoft-ds 23542300x800000000000000075078Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:27.685{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4193C2A7473DAB05B9C6DD89B69E2916,SHA256=682DFA263E41AD32024DA1AA9AFEA5AC75E3548C4D9FF3B12E482B2D82F6362E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054756Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:27.542{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C36B87A0BB1C110AA02A2B0A093E16,SHA256=E10F6483ACF6D8284E50951A69EB26A40E1B269ED7935701C8A68DAD7540CC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075082Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:28.700{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A5E19598A43FB0FC10D059F9624211,SHA256=C2B20693241F908D6872448539FA503EDE4089CAFAF7A9A95E1A0AB997756C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054757Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:28.557{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F412D724EBCEB191C4C8695F6EBE24C4,SHA256=21F9348FBF442F9B29B05CE55662BBF740AA438390F8010FEEB7B9157D72D49D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075081Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:28.032{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075080Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:28.032{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075079Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:28.032{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075083Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:29.730{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B446B90E25CC26B457A0E8EE8B976D4D,SHA256=49A4EF610C0FB1883CFB669BC4E9AFF8585889E0DC04CF1FC83C67657C2ED7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054758Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:29.573{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A800A790B920E30690766C02BD90CCE1,SHA256=82466C2715E92A30A1CFDD1B8D345063507F325038C35A2145218D91DA21BA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054759Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:30.604{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941BCC3C1B93D3D693C8650BC1D2E69C,SHA256=1E2F6572629CB97C858CD9C6B8830FC40B385E39EAA80E9B7C9CBA607C9B50D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075085Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:30.747{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5590612407B0E32B582437C96BE7A4,SHA256=DB92B0CA8DBE4E7371C728A76F66C58537F84AE658C750DFC0848768DDEDFB15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075084Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:27.375{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56370-false10.0.1.12-8000- 23542300x800000000000000054760Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:31.620{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5124DCB7C16150D2AE9218B0BFCABE6,SHA256=8BE84CEF59834B428573F2A5199A81397416FCBA348EF78B52E6131D63B86D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075092Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:31.765{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215B875FB5EA4D3D4E837F6754253954,SHA256=CFA953116B84688D421C139A2E72F7D3EB8E114120C416187596A750011D4696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075091Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:31.628{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=B8753138B819E29D110945BA594584E2,SHA256=5BCB5BBBA98A58FA5623815ECBBA77B5840084188C35EF325F4AC67A3474F4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075090Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:31.628{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=FAE25FE2977BFB277EBA0781E48C8142,SHA256=EFA77DB062DDAA56575F2865C5C208F7C3E0F966C689E005E43D951A3D1AC1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075089Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:31.628{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=42410293ACBB073C08E66A5B9A5B13FB,SHA256=A7EDEEDA72818ADDC026877554304A7886D9CC3DF676C055E842B37CC80FC819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075088Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:31.628{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=3062D817A7F3E3553CBFB441D6625C7B,SHA256=8B29F4FB9C75D9264061C7DFDD4CA14B24C94441C0BA087B022046573A98FDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075087Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:31.628{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=92818593A4E3BAC22CB0B8CF632E8C2A,SHA256=C9121F3903C44A3D10BBD733F604FC777F75126A776FF1D2DE9CC8967FCF9BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075086Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:31.628{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=04F12FAA1F8F6E3810A26D8F2C7917F0,SHA256=9DBEB7FE3F6DAC2771978EF8F8F3BB936FCC426AF9C96AAAA4504202BC915E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075093Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:32.779{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3758713D206A07F6753E922F6BE9F0,SHA256=B8BD5907C8A3A223F89DB2695ED5AFA931815551319D9A938CC62FE9D6562739,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054762Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:29.624{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054761Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:32.667{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE5BC4FC25666EB9069597E9A5552C2,SHA256=F025ACAB0F9E9BC5E554885CC45A9E440CD97F300947E11303A8FDCA4FCFA37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075094Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:33.795{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B289F27B1D226766E54B51DEA6CF7E86,SHA256=A4060EAC09BAC7330D5C4925F29E0A6E7BD672C049C2E44320E608BFF41B11C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054763Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:33.672{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8377905D69FBB76888EDB58D47B464C0,SHA256=6C4914CEA9F61ACD22AFC3F096CF65F680CB984D9D9C88183B13B3E9400E7616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054764Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:34.687{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205375367CCB5FCE2160CDDA37035346,SHA256=1D283FD09531A578765C37D962F8EEB7FEBD345FF1EDDED4C4BA53A84C0928D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075095Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:34.825{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B982B0C9AC92167C2D70D3BEC234C6E7,SHA256=8A710F2F852C7339EBFFCB90C101DA2EDE2CA144BEF47E844C98C2FE09F6EF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054765Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:35.703{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B76DFF8D5812E13C26A998E6E39CC2,SHA256=3432E2AB6168D0E04364E6D740F5DD2BD8AF3D38AD6C58BA0D97410C530DB0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075096Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:35.861{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB8AE76AA87E0B81DDA8FDD5635E391,SHA256=1966401886B42D4BF3C0BB14A85437C9E9C338CC5A57B0A96FF1985140C109F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075104Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:36.891{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4297EC8B433FE2941220D5536E9ABEB1,SHA256=3293F8940E89FAAD76A9DEE158FE97B03AE5A4063AA6445820EBCAA417BD6EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054767Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:36.718{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6AA69EE5B5F250F390DFD27EF039F8,SHA256=0345A456F0B657EAF374C5D081D5787DE066B413AAA24459F65746EEF62FA306,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054766Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:34.629{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075103Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:36.644{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=566FE63781008E4942C288C500CF6FF7,SHA256=92E19B41837C77AB82BBD4E185AB331E8AE0A472E5F4718F1BBDFD577F3F3341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075102Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:36.643{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=485D8BD22703F2A006B4816065F3C713,SHA256=038F3C3C3F95C91E9832B2FDCB28F8C545AE9A403E2214CC22334688C88D1B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075101Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:36.643{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=6FDF9A732B4D4620D6E5E627BD8C475F,SHA256=4E95BDDD190E17FAFFD593C998F043AB41F32A1A65735C03A6D3132F7FF17E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075100Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:36.642{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=AF4A0989FC615E4253FA312BDD3DC483,SHA256=9488FCBF25CD4BC78819673BA83CDB97F31AC0C38D6D1AA181660EB0EC8C180C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075099Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:36.641{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=961E11F119FF7FA101450E759B74E822,SHA256=E1FED48675AFAAB7F280458127C5C2F1FB27255BE2BDF1E9F5FCE48054E37A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075098Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:36.640{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=04CDB0F430E6BBCC0B2229DD1856AFF5,SHA256=CBD099C26412992CCED3453F0625DEC3C340EC521D962B2B75BB56904FE95E3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075097Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:33.285{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56371-false10.0.1.12-8000- 23542300x800000000000000075105Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:37.921{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529A32C85D761A99DABF515321727CBD,SHA256=EC83B8F403FFF5A1A42CDB831F651FE911A45B0EA0E0403F5561170A48FAB8C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054768Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:37.734{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9699ECD349A24E13EA149E79D665E3,SHA256=24E2753B0EBEF7F3A15CC05C0FE13881E729C7BD0E9C06AD5F862E08CED4AC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075106Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:38.957{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2C1B049B292D991B7B8D2455A701B4,SHA256=FE5BCBA5F70623DFC99BBCDE25EAB5656A8FA2A2BA09A87A0BA08F371ABFB643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054769Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:38.750{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFB5A131BFA3B2EC8792004D96A2E9E,SHA256=1968DCA4ADE6E7B77D25F981EF22FF6BE798C77AA87EE5D4756471A3A12D2B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075107Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:39.988{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1CCFE6979D6FA1AB7BBA44019D5783,SHA256=72B8213F3ED7ECB09BB0AD297F98EB27FAA06E66FEC7A4C6632E485ABFEB74B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054770Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:39.765{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5C88F62276BE427A2BC395133A3042,SHA256=B6D930A2CDC61D13D4BE2C2C00CA7888DF3C8CB62222AA679655E59BB3623712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054771Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:40.797{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEF6BD4E8F98FCFC26D7774EA950A77,SHA256=9F8A2730AA6EC28FCB024B8B43E57DBE6D522F9B16E744EAAD1119C7C211A58F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054773Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:39.660{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054772Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:41.828{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001778FAE04301F148E0DA45D0C2C27C,SHA256=3D0B08D6F2F963DD4631F15EC8C6844073C59E2476E90BCC4613FAD4833ECEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075108Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:41.018{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F4AA64A7948D8A7215D046949DD85A,SHA256=8501A65640ADC6DB551DF176F00A2B19F4BFAB734E560D69A73DC4D742B0987E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054774Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:42.828{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90048FDAA4FCD49EC0C7F9CE9425C63,SHA256=1714B9D7E2F0D1371B69C9C15C9D952949EB96E69D4E08904260BDBC114FF6DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075110Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:39.231{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56372-false10.0.1.12-8000- 23542300x800000000000000075109Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:42.035{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEE8A11517A8558BBC3057AE1953E98,SHA256=D638D205A29E38AE180FD849B462772C5BBDCB583497CDE95B1C952BD9DED537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054775Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:43.859{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED2878B30BBF9B4BB3089C301257B91,SHA256=3D5065EB731C1D2F6D5D7F20DC13487F12A02C37C12447562476E5FD9EB1015B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075111Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:43.038{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527A1A7D3FD0391AEB1852C07E59D3E4,SHA256=DEA685174558010A10FE820A64AC03C069EF84E80DA39EE55C9287EC892DC46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054776Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:44.890{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C224D6A11A0D2D311F27933082BBA4A6,SHA256=BC9EC8C6EF07641AC2B457AD117132DC2BC0B53FE38755358614C9BDDF64C354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075112Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:44.055{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3491F2A88515D8ACFF96299B717B10,SHA256=78BD08221CE593AD5A5779E5E3ED384B4510602C397BF64A60C882DB64A1C5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054777Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:45.906{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903A56562423B58B301358FAADBA9396,SHA256=0AA2F6283BF18564C9D101969D1A4F46E0F0F7D79E88FD58EB5EB3EF889023B1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000075116Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:06:45.138{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000075115Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:06:45.138{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EEE851C9-D76F-4DC5-8941-E56B2E5B48D9\Config SourceDWORD (0x00000001) 13241300x800000000000000075114Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:06:45.138{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EEE851C9-D76F-4DC5-8941-E56B2E5B48D9\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EEE851C9-D76F-4DC5-8941-E56B2E5B48D9.XML 23542300x800000000000000075113Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:45.085{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5017CA76F0C100A679C0B88A4EE7ACB9,SHA256=396D07E95C9B181A125B63971110D4054AD16BDF29E6FF29D625D76F891F3936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054778Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:46.953{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC304145A6F812EF1FB68020F9DA8502,SHA256=46E2395C836A0EDDAE2A5616700981DDF566DA57F5FDD075ECEB6C8D27CEEDD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075123Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:44.303{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56375-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000075122Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:44.303{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56375-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000075121Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:44.297{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56374-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000075120Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:44.297{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56374-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000075119Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:44.277{2F630BB9-8EB3-611B-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56373-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 354300x800000000000000075118Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:44.277{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56373-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 23542300x800000000000000075117Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:46.100{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815B01B714974848C2480C5736A15B65,SHA256=C4CD69828022383F39DAA4AD9BC8783396B5623FB2023438F85A5491A5094839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054779Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:47.968{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9959586F1FC19D013D410717326CA7BA,SHA256=029A643AE6F3D8A2D6D30ABD2338CDF5E74F573CB4093FAFCE41B5C063BB0549,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075125Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:45.178{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56376-false10.0.1.12-8000- 23542300x800000000000000075124Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:47.114{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85348A40057F51DAA002BDF1F4D6713,SHA256=5A53A031C0DC11987866D7F97CA395AA46080FFA16BCC3A72D94A84228BAA05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075127Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:48.966{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075126Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:48.133{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C9D4D00A326D380E15D84A2F3DDEFE,SHA256=1E3CB1217A0D5241C2DA861EDA43754F659C7CFB017D5E9D9AE24A99D9C6ECAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054780Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:45.644{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075128Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:49.150{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475311E28FDE614977C3A9ADF031C4E1,SHA256=8701C86C60D04579BD5F036A0E8F0B324CA009C99FB06E2CEA8D83082EE47327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054781Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:49.000{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78752E10B4427D56D891015A40AF59D1,SHA256=00D996E445C9ECE2DC65342D6BBB458E28D3CD0B018F8226D5B44E321F39A928,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075130Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:48.094{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56377-false10.0.1.12-8089- 23542300x800000000000000075129Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:50.181{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953F5E4FC739B0D4F65C5EAB0337F9E8,SHA256=AC69E2D91CB22B8316D8878B1EF08DEF290AE519A175A757EFDF88FC3AAC0B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054782Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:50.078{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC20E59A01CFCF1D423801BBFB42E02E,SHA256=A51238C94948B5136291DB267A3EC7C1476E5E14980B126F3ACE5CAAF6CF4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075131Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:51.195{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD41794DD7FBA4A2D1046EB9871FCD39,SHA256=6338771763C185E67076EA87FC15AE8A1639451C3947E7CAE2CA87FD5C42B4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054783Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:51.109{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F940E3471FECF793ED9A838874694D,SHA256=216600A67F41C6F0F4C67BB042CF111BC183692BF545A3536ED1849EC746EF80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075134Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:50.370{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56378-false10.0.1.12-8000- 23542300x800000000000000075133Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:52.210{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB6086410F54AC9905FFA95B936669F,SHA256=761115C79FEA5A04AE78C570E69930D9D463E67B5E5E38938E53694F61ADB1EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054785Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:52.203{8A88D375-90A2-611B-0D00-00000000F101}8084324C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-F600-00000000F101}3392C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000054784Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:52.140{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FBF2EA1994EE94BE3E058831691888,SHA256=EC1367CAFDD01CD4F33151F30CBF8367452DD19ABCBCB12E153163E6B9F5399E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075132Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:52.195{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-C74C-611B-050C-00000000F001}4180C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075135Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:53.228{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74B2A99A065A40F7C0F35F34E64D72C,SHA256=991585F532B1A5EF69A6E6CBA8DB5448B776C3A94ED85515090B59F0CF15E05D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054787Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:50.660{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054786Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:53.156{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3D047FC4ACBD12FFFD496D7A0DFA88,SHA256=4D73279D5A1E389C364001D6C82AD0A583668A2ADFB3322F8C7E78FE1910C834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075136Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:54.246{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A891DD4D90F98463466806E0292880,SHA256=7E513ADAA2A5A61DFB01AEF82F8DB317523A5535F320556C43EEADD8C0D89AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054788Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:54.173{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CBA0808CED20B1CF10A912874AF811,SHA256=7DD5E173D8676DEEB502D75F25437E9B540CDAF73E0D4555A3CD614739B2AB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054789Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:55.189{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4128952FC3C1F54EB48471EA3FE3E35,SHA256=614ED05C2F610490C9A519FA274ED11756A084AF754116525B7A527061583173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075137Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:55.260{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4E8D752BDC34C3EE0983721E0982D3,SHA256=F6E6455FDACBBCB8B751DBBC0E8FE4EEE7A43D8BE04F4CE2C6290D1157F497A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075138Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:56.290{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39421113627861F92DA27D07BF8305FA,SHA256=3EDA53BDD90BAC46737CC33EABEFA711347702422D10D89008A4F7B6EF770B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054790Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:56.205{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786E74F6B61E527C511750E8787148BE,SHA256=DC0826360396F1255816BCA2DE8454EE56D64526D7DAE8BC9766609C9A01A806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075139Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:57.305{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054E22DB44C985AF87F10F41E7346CA3,SHA256=32CED62767E13FEF570D77FF92DE1436C940089FE67EE0E2C04A9A17EEF155AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054791Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:57.236{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2264C88385154D64BB5678F924069F6,SHA256=DD007A181C202A0A24429AE93CD77FCF43CF329B469EFAA2CB46137C76FECFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075142Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:56.388{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56379-false10.0.1.12-8000- 23542300x800000000000000075141Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:58.620{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=79E6865AF4D41A8A9BFAD67DFF1F63E8,SHA256=CC85434A3A670C4CA355FB88FCB0800242C8A0EDAA5C45427BD4B774AFA833F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075140Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:58.322{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0265ECEC9B831447228E2A81FE549AA7,SHA256=0E5FC4A966A159915CBC49A07CFFC37AB9E0A200AEE0F06B2B543BC5F2142FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054792Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:58.283{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9855C5AE5646E621062123C81114986,SHA256=712BA688A713009AAB2DAE85F615E0B1574E201B326AB9B515CB0DFDFE35F6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075143Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:06:59.356{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AD4798273FD5CE3426792F660A7FA4,SHA256=1C71462764C5B0B04BAA555605C69C339D2793026BFD67C306F841AC0E4CA794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054795Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:59.788{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-265MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054794Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:59.332{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7B0621D0CB4BE21D53D2086F2BF9E0,SHA256=F45046D40DEFC06C4EC703E9E8F2D7407828B5C34D1144DC8F61ED9352874D94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054793Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:06:56.552{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075144Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:00.370{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426D74922A1419986437A42511FD8051,SHA256=CE70C1FE6757F67C39AB745D93DBEC98D30D3A5AAF323F959462BC6D452594FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054797Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:00.787{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-266MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054796Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:00.348{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B4828FED9C66078C426BF04EBA9891,SHA256=F7D67ED4CB2193C2F18CB106ED3D3CD5C8D6AB3A2955F2E399C6A5046807BAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054798Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:01.350{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D9600D52FF3140F9A1726C5BB9F63A,SHA256=4BAB9D733A1493049AF82E8FE474E448A1588AA5DEFEFF6F4C6968AB08330B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075145Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:01.374{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37B698F7E69C445CFC154FCDF831657,SHA256=5ECA7AA775933BDA50EA3637C59A5C00A8CC468BB54139C520FAD3758CC7AD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054799Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:02.366{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB99C661D91DA596CD16584EB1ADFAF,SHA256=E3DC0616FE2D9F95CABDC6C1B0506382DB8B4AE43AE2AE9805B88B7729F38FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075146Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:02.423{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0668AAC5DFEB42DDFB61DD6EF229127,SHA256=74BB52CAC5C3B109E3F833A09F351E99C8D6ED6B267F213C7278850DED1A97FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054800Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:03.382{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CE91391F650EDA1A5EEF8A4105293B,SHA256=1EEFC91C0A8CC7F0CD6B9FF956144CEEE2D622D1A301D42738262439439AEBA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075147Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:03.441{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A8ED5C51A0BF91D1EA278F7EE6E2ED,SHA256=C0C5073B2194A1A43853062118E2D57C1EA9E9CBCCF03833EC28934BB61D3A61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054802Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:02.557{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054801Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:04.397{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAE7A0DA38A89F9608F6242FA8F5B90,SHA256=13F251E40A79868022ABB80368603703DB8C38C34895485D1892FF74C73E57B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075148Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:04.471{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCB6B29BB38392D36D8C6DE474D79A6,SHA256=79EDD4EFECC290BAB259580935D9C1B7A0CEBE27F8199D837A0786FAEFE89986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075150Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:05.486{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F4B618A26E6DE3D8E2E42741E96656,SHA256=1041BBDCDACAFBEAB5A8024F37CF757B89547BC37A4F9D32001B922FABAE6DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054803Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:05.429{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C091A27D2EF597D0920358454187D650,SHA256=016FC06AD2D1A11CF2E2975EB48FB5C6C40F595D6E6480B1D8C5AD3ECF251BB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075149Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:02.385{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56380-false10.0.1.12-8000- 23542300x800000000000000054804Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:06.444{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BFF2198BEEB9E4EDE5DD9CE83DED2F,SHA256=10340B475D3271E1C6CD06E07E165645ECF601F015CFA6090EC37FD3E0C780EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075151Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:06.518{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663E0C694D04B8303B4D2348A3A84EC8,SHA256=53203E1D9C821B7B174DCC1E7E54D13D341CA76051DC63A74026853C83FB3B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054805Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:07.460{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627944F5D9E037EF04716285FDB332C6,SHA256=FA51AE8F8B92B1BDA7E9EBFA4FB11C8B662928B2E6646BEA370DC53B1A587D1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075156Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:07.568{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000075155Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:07.568{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075154Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:07.568{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1018376.TMPMD5=5DC7F12925A3AFE1350E22C4D18895D4,SHA256=C9B1BF1A545F85BBFF7598EC849E260DBCB3503CF53B1AC3CC4FEE256B700E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075153Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:07.537{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE16250CBCD672C801C23497DC4F1EBA,SHA256=F604DE654D1B1B07F4A9EE30463880737C98AF6DB20AA4C95B7CF4139619645B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075152Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:07.521{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\aborted-session-pingMD5=59B6F5BB3F13E8313771D4EF35FFD676,SHA256=D1D1B8A876BE3CE138E99D4F585C072E8BB2F222F40E2D1BAEB4D277EF0397F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054806Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:08.491{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D0B63B0486836DC9327FDA2B2B2F86,SHA256=091DBF40E1FE7BC41C29F8F32EB2DA0663EA047A06DEA29F722C521415D7EB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075158Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:08.551{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4316776433D2883D00BDA9C83B0C20E0,SHA256=D845512DD3B41346E14FC62EB990A3327C7975B4C1B6492BFEE2FAC3C308561B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075157Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:08.514{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075159Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:09.566{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A514BACA6BB9916F86D9FDA8BC28C8,SHA256=C206E1A665EC402A6F7F6CFD4838FF3B31A3EBDB2FDE733F298B6F8949F155D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054808Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:07.573{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054807Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:09.507{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3843E3F67FE42B4D86D1CB70DF31BBE,SHA256=A3263FA349571C09BD372E3D1A0406217E55EBF8807AF0C495695EAE45783469,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075162Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:08.241{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56381-false10.0.1.12-8000- 23542300x800000000000000075161Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:10.596{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF09357B03F3FFCB15F059A621DCAEA0,SHA256=64BE8C3E850D85E7CDF25E6EA636E70CE94CE10565EEBF2F46BAB51C4325069E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054809Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:10.522{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B9A83D2C11CCA7019DC5C3FC2398AC,SHA256=4116E37C4AA7226589DA4F07F1AB8AF06552E537D6D8A2B186751CC11B0047BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075160Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:10.137{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-273MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054818Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.928{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D09F-611B-770B-00000000F101}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054817Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.928{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054816Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.928{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054815Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.928{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054814Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.928{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054813Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.928{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D09F-611B-770B-00000000F101}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054812Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.928{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D09F-611B-770B-00000000F101}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054811Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.929{8A88D375-D09F-611B-770B-00000000F101}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054810Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:11.538{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C275642D1FA97737B93F06CE982813E,SHA256=E384F37F55570EF420C9458BA562FC507D8ADC2E0190E52FE8F81EE4437A6150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075164Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:11.613{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8AF9CEDD98ED858DDE9A44A05E78EDC,SHA256=E235108B161B16F75157DDA9298C9625B6616058DB91A5484416D763F2830AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075163Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:11.149{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-274MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054828Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.819{8A88D375-D0A0-611B-780B-00000000F101}20844676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054827Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.632{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0A0-611B-780B-00000000F101}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054826Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.632{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054825Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.632{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054824Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.632{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054823Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.632{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054822Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.632{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D0A0-611B-780B-00000000F101}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054821Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.632{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0A0-611B-780B-00000000F101}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054820Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.632{8A88D375-D0A0-611B-780B-00000000F101}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054819Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:12.553{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F55586F49429CE9E462A2652A4BECF,SHA256=0A513F512435BA5D47D6888C4F6D112AB5EDBF7C6A911B02D5CB95E0FBCBD06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075196Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.731{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2649773DFB6C3D4F8A6D4ECD091F08E7,SHA256=CABA5045E878327131EED57CA8F50699F16350E5117AA2448833325E2F5BEF0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075195Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075194Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075193Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075192Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075191Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075190Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075189Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075188Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075187Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075186Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075185Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075184Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075183Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075182Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075181Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075180Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075179Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075178Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075177Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075176Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075175Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075174Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075173Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075172Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075171Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075170Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075169Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075168Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075167Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075166Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075165Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:12.194{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054856Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.972{8A88D375-D0A1-611B-7A0B-00000000F101}54525960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054855Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.800{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0A1-611B-7A0B-00000000F101}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054854Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.800{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054853Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.800{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054852Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.800{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054851Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.800{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054850Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.800{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D0A1-611B-7A0B-00000000F101}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054849Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.800{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0A1-611B-7A0B-00000000F101}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054848Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.801{8A88D375-D0A1-611B-7A0B-00000000F101}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075197Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:13.762{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4CCF23FC4061C39C84130E42A08664,SHA256=32883F46325EC6B762DFDEC5DCF0B7502B9F68A5078DD690E4BCB4FD838407C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054847Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.460{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=581845717D6741889A913E1A3890BF56,SHA256=2B685C93C3B281F530438B3FC4F4C2DD7C571506A92409C7667E3D26E4B66748,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000054846Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000054845Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00fa09e3) 13241300x800000000000000054844Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79371-0x2cf3b240) 13241300x800000000000000054843Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79379-0x8eb81a40) 13241300x800000000000000054842Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79381-0xf07c8240) 13241300x800000000000000054841Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000054840Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00fa09e3) 13241300x800000000000000054839Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79371-0x2cf3b240) 13241300x800000000000000054838Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79379-0x8eb81a40) 13241300x800000000000000054837Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:07:13.319{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79381-0xf07c8240) 10341000x800000000000000054836Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.303{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0A1-611B-790B-00000000F101}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054835Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.303{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054834Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.303{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054833Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.303{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054832Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.303{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054831Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.303{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D0A1-611B-790B-00000000F101}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054830Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.303{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0A1-611B-790B-00000000F101}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054829Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.304{8A88D375-D0A1-611B-790B-00000000F101}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075198Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:14.792{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D0D0AA53EE5A0B2F32BB5C6EC2E59D,SHA256=1D9FE3CD53628E6A1EFD5C539F1FDB2D6E81CF159D4CB5EE2DA762E782848008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054857Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:14.050{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300802B41F314031A611C5FC2323B012,SHA256=3B37AAB9F7501478B939E7843CA12B8883C5D7AC7BB96F94C6387B4F8888D8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075199Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:15.814{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B818101FE46A9507DFD0038AEE4C47DA,SHA256=C7ABFB811BEBCA6A1F1197C1335552551480A1728672BE0720A0C774488F33E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054868Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.957{8A88D375-D0A3-611B-7B0B-00000000F101}33443492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000054867Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:13.616{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000054866Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.722{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0A3-611B-7B0B-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054865Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.722{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054864Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.722{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054863Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.722{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054862Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.722{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054861Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.722{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D0A3-611B-7B0B-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054860Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.722{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0A3-611B-7B0B-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054859Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.723{8A88D375-D0A3-611B-7B0B-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054858Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:15.035{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38888541F2F13824EEA29B074E5197E3,SHA256=EC10367A8B11EDF80841E4BD9C668B7F52E6DC03670B3AEF5235497BE8970BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075200Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:16.828{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC42B41DF01421B9F65E6EF9A03E789,SHA256=7EB98441CA06E8A7BCBEE532CE9407A6B42CBCDB2D872C4B822203FFEE5F3CFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054886Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.910{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0A4-611B-7D0B-00000000F101}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054885Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.910{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054884Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.910{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054883Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.910{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054882Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.910{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054881Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.910{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D0A4-611B-7D0B-00000000F101}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054880Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.910{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0A4-611B-7D0B-00000000F101}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054879Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.910{8A88D375-D0A4-611B-7D0B-00000000F101}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054878Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.425{8A88D375-D0A4-611B-7C0B-00000000F101}42244448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054877Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.238{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0A4-611B-7C0B-00000000F101}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054876Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.238{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054875Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.238{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054874Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.238{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054873Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.238{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054872Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.238{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D0A4-611B-7C0B-00000000F101}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054871Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.238{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0A4-611B-7C0B-00000000F101}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054870Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.239{8A88D375-D0A4-611B-7C0B-00000000F101}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054869Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:16.097{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9615AB3FEE6C998EB301E03761B61595,SHA256=E0BF4EDA0C2F866CF1E9A51C398BA969260733B7717BE69978506AE2B60911D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075202Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:17.858{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B607A48165E6CA3F4A81E0E71CA77A5,SHA256=9272C503B6676CB462BF58708D1449C6223D4F83A32B577D14718AE172777F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054887Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:17.113{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153AD68F760A795EDEDC0A5AF0FFC94A,SHA256=9613478E6E43604202D20DA738BF70958169FD62F98A893BE62B3C013B5565ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075201Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:14.204{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56382-false10.0.1.12-8000- 23542300x800000000000000075203Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:18.873{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D49C0CCEFA6EB2A5091D8558F9C79A,SHA256=9D17F60C53238E0C8DBBD2B9AE3EA6B86B6AFDC5D2FC2E18C55808606FEEF7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054889Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:18.613{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054888Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:18.347{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93341439EF878923FCD87E1BD98D2E5F,SHA256=D21522A56F5A41D7EE1BA1A5E26D3B17CB111FF93BCDC55DAAE8E8B79F965E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075212Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.888{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED045A6C0B8F9C8A878BE771A9B112A,SHA256=A1DFFC2A857F8D93338B543950A2FDE94579D251D4CBE4FF76C4670AEE5B5E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054890Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:19.347{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D929C8BF850FDD6DC9C6C17657FDA896,SHA256=7D4945958FEEFB9F1FF07605A974F0BBCC2109566B4F26C72FAEFAAF89E801A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075211Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.457{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0A7-611B-6C0D-00000000F001}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075210Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.457{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075209Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.457{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075208Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.457{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075207Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.457{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075206Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.457{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D0A7-611B-6C0D-00000000F001}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075205Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.457{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0A7-611B-6C0D-00000000F001}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075204Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.458{2F630BB9-D0A7-611B-6C0D-00000000F001}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075230Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.908{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AD35F3DE724FD32B492B54343BBBF7,SHA256=560002B32864DA54A87C79EB928A63FBF0BB95A80FB4D4BC1A25B2681B11BA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054891Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:20.363{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5471531BFACBA895337EA1E9EC938159,SHA256=06693849B41BE0C24A1A16D1401A3C98B8543DEF4266102C9DA2E68CB3A28DE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075229Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.624{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0A8-611B-6E0D-00000000F001}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075228Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.624{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075227Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.624{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075226Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.624{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075225Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.624{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075224Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.624{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D0A8-611B-6E0D-00000000F001}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075223Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.624{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0A8-611B-6E0D-00000000F001}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075222Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.625{2F630BB9-D0A8-611B-6E0D-00000000F001}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075221Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.187{2F630BB9-D0A8-611B-6D0D-00000000F001}47526276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075220Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.040{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0A8-611B-6D0D-00000000F001}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075219Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.040{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075218Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.040{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075217Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.040{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075216Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.040{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075215Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.040{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0A8-611B-6D0D-00000000F001}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075214Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.040{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0A8-611B-6D0D-00000000F001}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075213Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:20.042{2F630BB9-D0A8-611B-6D0D-00000000F001}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075249Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.985{2F630BB9-D0A9-611B-700D-00000000F001}50848128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075248Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.922{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FF361B7AD137EAB8E371978424C036,SHA256=C645A982084C13C94E8C709BDFA244DAF459B63C526BCA07F26AC1881632F594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054894Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:21.378{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97F698BBE1E212DE32DC99A26E0795B,SHA256=F1EB68799FFF7F12CF35A7F4DA4A0BA9805FFD81E57EF9B28783387E308DCFE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075247Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.838{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0A9-611B-700D-00000000F001}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075246Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.838{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075245Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.838{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075244Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.838{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075243Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.838{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075242Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.838{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D0A9-611B-700D-00000000F001}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075241Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.838{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0A9-611B-700D-00000000F001}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075240Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.839{2F630BB9-D0A9-611B-700D-00000000F001}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075239Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.339{2F630BB9-D0A9-611B-6F0D-00000000F001}76487272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075238Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.155{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0A9-611B-6F0D-00000000F001}7648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075237Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.155{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075236Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.155{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075235Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.155{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075234Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.155{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075233Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.155{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0A9-611B-6F0D-00000000F001}7648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075232Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.155{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0A9-611B-6F0D-00000000F001}7648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075231Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:21.156{2F630BB9-D0A9-611B-6F0D-00000000F001}7648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000054893Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:18.679{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000054892Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:18.085{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000075260Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.923{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC227F4D527D5C554CD1FC013994E90,SHA256=A5EF0F60F0E00877F7C9991F3BEB3641B70AA4052A448C353FD0D90D11391E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054895Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:22.394{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F511D8C9182C29D59BA5B47E364952,SHA256=3E5FA81CB7E57CCBD304431BD35FD6CF49E7665934D0674F01269DCAA8C89823,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075259Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.653{2F630BB9-D0AA-611B-710D-00000000F001}34206236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075258Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.505{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0AA-611B-710D-00000000F001}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075257Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.504{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075256Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.504{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075255Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.503{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075254Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.503{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075253Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.503{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0AA-611B-710D-00000000F001}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075252Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.502{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0AA-611B-710D-00000000F001}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075251Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:22.501{2F630BB9-D0AA-611B-710D-00000000F001}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000075250Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:19.299{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56383-false10.0.1.12-8000- 23542300x800000000000000075261Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:23.954{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC1DD11BFAC899A73E8AD6301327D7D,SHA256=497A1E42F3E2535FD7B362043AA51A85BF19189DFE10411AE2DECA8E6411927A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054896Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:23.410{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321B5AA737EAA1E763EE33DECDCB6FB9,SHA256=C4E2C601894453D4F71BDA0442DBF6817AF704434B33588CFAD6778FA237E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075262Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:24.968{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696B347169E15AF13C5C4F1ABB4C4E38,SHA256=4E8F6CE3471E37BDD2272372D8A4E2ACA3C7233C64A9E68EFE1563F531424DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054897Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:24.425{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC423A8910F76C8AA9F729A2788227E,SHA256=4958CE0FD3B7F8342C506D8CBE7035EE4A5D716B0B43E9D7559FF30CA2708F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075271Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.982{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC05D17C0897FB7BFCF3F1E8D00489E,SHA256=BD75B146021D276D2DA8FEFAA6E1294A62E8000D0984AE9FE3B3F096D253DCE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054899Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:25.597{8A88D375-90A2-611B-0D00-00000000F101}8084324C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1600-00000000F101}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000054898Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:25.441{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E3454CF1308DFCA6233754DB67B8A6,SHA256=7BE639F48CCEFEDF28A4DB761ADD59765A1758FBF8D5A069A06C000A46873D73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075270Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.104{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0AD-611B-720D-00000000F001}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075269Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.102{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075268Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.102{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075267Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.102{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075266Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.102{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075265Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.102{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0AD-611B-720D-00000000F001}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075264Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.101{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0AD-611B-720D-00000000F001}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075263Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:25.100{2F630BB9-D0AD-611B-720D-00000000F001}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075274Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:26.999{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFB1F576984EBB5B29F7E99CE2A34C0,SHA256=C6F9371B535F44F228DADCFCC8AE8225C47F0DA14BF866EB08AF094233EA49B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054900Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:26.456{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0057F6DCC448550E14CF7B87FAEEA641,SHA256=51D9B081898CBCEB9E116168736C7A4B38C25E14D9503D957CA8875BCDC47C64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075273Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:23.896{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56384-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000075272Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:23.896{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56384-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000054902Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:27.472{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E48C5EF00950DAF5A553CAD3645880,SHA256=338DDD6605F8277ACAC15D20AD86F7AEA8EAA0CE7CBA9C276D2F92780E877494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075276Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:27.798{2F630BB9-8EB1-611B-0B00-00000000F001}6324720C:\Windows\system32\lsass.exe{2F630BB9-8EAF-611B-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000075275Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:24.328{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56385-false10.0.1.12-8000- 354300x800000000000000054901Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:24.554{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054903Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:28.488{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22ADF7460EC69E18843E90867BDE6722,SHA256=4E55F14B68F52EAC20909C9897820A8D786DBD8F6E63D88B40EC658DF3BC216D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075279Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:28.816{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD0CA3AD1C4767EFE577C28F0DB307C,SHA256=45D95D4EA19E868F23E5A5F083B016E1ABD7FCEB35102074B323EB0D8930FB0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075278Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:28.816{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC79D3B5011484097D14DF966B2548DF,SHA256=F4B109879D9DF4487668DB03C0E2822217E9D0311A35202E46C65D8455450F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075277Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:28.017{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E2BD5CCBEA2E13AE18D84CF3FD3161,SHA256=6E270A81922EE969DFA5CEEC41B6E8212F35A00307D7A649E93DD963E546EBC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054904Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:29.503{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04A7283D011967E7055354004945BC6,SHA256=80D4B531DC5881D11537BA78113E1D5ACF5BA2C95B5618D0BFCA150B14D707A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075282Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:26.939{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56386-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000075281Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:26.939{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56386-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 23542300x800000000000000075280Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:29.047{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C211F03971245D96519059C3993078B9,SHA256=0056FED88F944A8D81903F0AE36B6D571780BFF7ECA9F78DAA4EEFD52DC26F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054905Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:30.519{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF3E7C344AD8FC456D5BE6285EEF342,SHA256=F800B8A538D9FE766799CBC5E7E0CA31AC02A514645BEFE8A56C93A1CD17CC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075283Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:30.062{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7707D95C65D79EE34E8AC542BC700A,SHA256=B0246B05175C29A92F9A23726EF210AEC426E8C93F35F60D1D750911E42E8518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054906Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:31.535{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B44B17BA1EBE82AAE5B40D26F90B544,SHA256=9D263C148D677654C2FCBA6FE781E5B036A8AF4E7017C153FDCE899156D33AD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075285Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:29.336{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56387-false10.0.1.12-8000- 23542300x800000000000000075284Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:31.076{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5554E307342163AD921408E0736E97DB,SHA256=C81FC76D93442AA1E3C75B95D3198CD60AE826194A93C732984F08D2ADA9008F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054908Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:32.550{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B6D97092FFBF50450A18B8A5891C7F,SHA256=EC85FDBB4593595F4A3A0141EF3C665E7EC1FEEA492CD19DD4829775DB8CFBEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075286Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:32.094{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3348B9C3026D16204D8967DB07438BB,SHA256=19B3ABF2375EAF281BE1564A92D1EDED85920BD202F1B8FC81DB42613EB1B96F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054907Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:29.647{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054909Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:33.567{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FE0C6448CFDA2157E59727F21880D4,SHA256=EBAF58E0859308D1D205504E7C4AA55C8C2B11AE6196407DB6DF6E5984CF4DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075287Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:33.112{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5992113A55060ABD07F3AF60BC1E1EB,SHA256=CE7F722DAED31812915C70C48044F7FE2565F471D75E51F4DF09D7959BD30B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054910Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:34.582{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42CDC99B266EB0761DB6DC68BD4370A,SHA256=38520BB56B855B6D19BC7A6EF5D50F59DAAB346F9661D8BBF8AB7E441ECB296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075288Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:34.142{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B1A0C6BCAB71D08DD611475A62B8E9,SHA256=A37AA825BCDA9E74CE4F63CF2766B2D5CA60C911F9913835AE6A4DE3087FC41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054911Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:35.598{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003F4945B3452AAA8C97C88379DB8DDD,SHA256=2ED9A5367DBD20048F5A3A2A3A3970501F31A04E885EB06BFF6153394F47CAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075289Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:35.157{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBC4A1A378CEB49C9230898A8BE13B5,SHA256=6065E1F4F9E9905548955611CC6EB47CD13B872AE2AE6E5A613A09497F178526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054912Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:36.629{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0075AD7D2992D35EBF4E4D87D8D6275,SHA256=D0661F0AA8E122FDA80A990FA984EE4565A99A08336DAD26798388AFB7B4433F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075290Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:36.190{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351E53AAEBC413A07564816748261E75,SHA256=CDCEB484FE954C161CD1F06492F6AE28E4FB16116288A7C0C644E2B4C0BFE485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054913Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:37.645{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4BD7A970EDEDEF572EFCFF97253169,SHA256=C2198398A77F2BC39ED558B3E3DEA9374914F7E22DED5C23CBB7C771272FB2AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075292Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:35.252{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56388-false10.0.1.12-8000- 23542300x800000000000000075291Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:37.224{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57407736C2A7C9B091D949388A7CEB6B,SHA256=B9F2250A6ECCDBBF09695393EC7BF3F34BBCF56A3F1C08B50D45738BE280DC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054915Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:38.676{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59312667D57EBD39747119DCB9D5D644,SHA256=D4D3076136322628DF20A019863178C0E6E23050FF1FBABDE7C802D1839D7C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075293Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:38.238{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0A45FF21029DF6F485228BFE62C522,SHA256=6E89128E4F9A82611C35AC0D96602DEACCCAE1F6CFB11B9D9263C2990144DB8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054914Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:35.570{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054916Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:39.692{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF3AB0B54D843579E8B6A83F2F4A0E7,SHA256=B7506BDCBDF4789C2D9258188B59FEE398B9230F012273A053F8074962A2D6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075294Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:39.253{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5951F80B72FEE3CDD9DF604A076D11,SHA256=C7D0363F80E8AE8A3206992909B09830AAA6AA948D0351FDEEEB25BE7FEB1A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054917Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:40.723{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA562DC7EC7B1DAE1F2239ECCA73CD4,SHA256=906FFEBA0A41D247F3B74F8C01119F0B0D61AAD5AFF814E3A68A9F066FC80A14,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000075305Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000075304Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x010203d1) 13241300x800000000000000075303Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79371-0x3d38c1e8) 13241300x800000000000000075302Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79379-0x9efd29e8) 13241300x800000000000000075301Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79382-0x00c191e8) 13241300x800000000000000075300Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000075299Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x010203d1) 13241300x800000000000000075298Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79371-0x3d38c1e8) 13241300x800000000000000075297Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79379-0x9efd29e8) 13241300x800000000000000075296Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:07:40.420{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79382-0x00c191e8) 23542300x800000000000000075295Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:40.267{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E7F93D457C75C13A30202D738DC11F,SHA256=C27613A49B40302F426A8F155D13D85585ED082263529C8F1C8A802130081819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054918Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:41.754{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AF6CC9A674777D0EDDB1DA236462D2,SHA256=63858578F2AA84191E60060355A6E05C60D9C88E579F4523DC21DB012E62E5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075306Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:41.304{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084C88308151688B32EE752799D6C7AD,SHA256=876356CDA9E6346DB4D50C40F40C320C5E87217829F9BEAE2E6B4EEA7766B326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054920Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:42.786{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BDDC820371480440F06EDDFE5EB2F9,SHA256=14B653CD7D432804F8D529758EF039695595452D9BB66FA00391E3FF0FA234A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075308Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:40.310{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56389-false10.0.1.12-8000- 23542300x800000000000000075307Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:42.319{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7B8BE4334E2B04519775AD3635144A,SHA256=4F2B713F77D2076C465FF63B36D389D433EDBA101A6112CCE5FFEF0761B31582,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054919Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:40.648{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054921Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:43.801{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D98B4316CBFB9802E939B6149AA43C9,SHA256=5B3ADF4835971446D7D089A8C8061460EFD7978F07E343754A0D00585A7EDBEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075309Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:43.333{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFDD3E2CF247A9AC815C325065017FE,SHA256=4FB5CB438AF6EC86F8145DE3B292B205FE873EDFD7F8A302D008EF2EAFDA1E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054922Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:44.832{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0628BEAED1B664F84DB8C7F1BD962710,SHA256=AF768CFF9108CE57CDEBC28D445682551BB2A517CDF0FCFEDAF23900ADF4F3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075310Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:44.347{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEE5426582B7B25090FD797B1560179,SHA256=1AA76A810C3521CB78D4255E83B664CDEA686DF4C134B8D9679A20751CB387DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054923Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:45.848{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FF5618755943052AD940E01CA637FE,SHA256=84847B0DD4AF48F9CD86EA9ECFF568A741BB580E9DDF7220478A7711550D18A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075311Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:45.348{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D68320C8B0862917B54B17B4B28F73,SHA256=AAFDB5392BCA3B47981904086446AF1F655A70F39FB5F653217EA37D47B81A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054924Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:46.879{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5558C94C4379892CE634D82DDC2009B,SHA256=461BF18463391D05FE0344D6F509792DF0FF258F196E25D1051EA305863B6A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075312Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:46.381{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974C497F1689EE729B517E6F50CBC59A,SHA256=7C98172EFD5C04E9AD8261E8A6B78FDB1DAA1B800E4EAA9BB1D3EAFDC568C13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054925Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:47.895{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46221174479E9BB254A01219350B8879,SHA256=74649EEBC3892B586DEEA1C1A7559B06A49DC51C30AE980B456AD6B7C9B7EE4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075313Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:47.399{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FBA3C7F3D15699C8CD6ABCC1434D6E,SHA256=D4F3EEE58C2B7CA1DEF2B6AD62330B3DA06AA1A702582C9A2399B2B4634F5DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054927Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:48.926{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14990FFD5B6735995A43D4A42E759F6E,SHA256=0BD2DE1455F1B7E62887071CEDA441488BCFC6B60DF972239075E2D6A1CA6EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075315Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:46.174{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56390-false10.0.1.12-8000- 23542300x800000000000000075314Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:48.414{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A14CCBE7123D61BF91980750D491C7F,SHA256=FDFB264023FF19C817642A4852797A0FCEB1A20AFC6231A95DCB772999F7775D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054926Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:45.742{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054928Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:49.926{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF840C24E98A92C7D3BF10F9A21F3FB,SHA256=E3EAFB471288169979ABED54DCEFE61DEA5CB550EC9DD030812C12D673CA1FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075317Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:49.444{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6718B9E19BF021E63747BF28AE191C6,SHA256=AC75EF2BBFA825CB7CC46029DEA90505AA886A63372D05AB0D0743FCD306D35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075316Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:48.997{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075319Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:48.119{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56391-false10.0.1.12-8089- 23542300x800000000000000075318Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:50.458{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F61B67196F3BB8128E65E63AAC832B,SHA256=594312FCD57958504A4A843D47B2A14E6619C2F043F5BDC8EA137E8FA3946A33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000075322Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:51.842{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\SiteSecurityServiceState.txt2021-08-17 14:32:51.781 23542300x800000000000000075321Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:51.842{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\SiteSecurityServiceState.txtMD5=733BBFAA707A4575E7FF9CD1E9228942,SHA256=4C853F34E3120443CCC5110AED0E234AEBE2E66429F4342E236120F26DAD5880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075320Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:51.476{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B417A4C31F344E1D4462812BFA716FF,SHA256=984C64320E88410DFF2C27206336A72AF905FD96E09CEC9EE8824AA3CFB3DFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054929Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:51.004{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776F881DF1DD7F03E558E039874DA4A8,SHA256=51CF3FA543F9909814D5F40093D4CC82EF0C1F7D460AB0D6CE29001414060C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075323Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:52.494{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE8FEB57874A66FD7E459F27F4EF68A,SHA256=14C7298AFEA103FBA1CBE39957A0E196407D966D14E251252ADA7DCFCC9F70F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054930Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:52.020{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2BE65E2F42234A95FA5E8970FC23C7,SHA256=5FD856FA585B2BAD64D5CE9D9170112A71E50DB252337A588BB7E7988F18D539,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075325Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:51.338{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56392-false10.0.1.12-8000- 23542300x800000000000000075324Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:53.508{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FECCBBC3F1A84F67827B55FC46AFFBC,SHA256=635BE2A7BDEFF1528EA3FDAADD07AFC7D0A421FE76535E65F7FB218A92361EEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054932Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:51.523{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054931Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:53.035{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD012A0B4164F86564261602AF30B066,SHA256=5A088A322B7B905B44963D29DAE563D81506421AC96598F9CE8E465EFE566C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075326Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:54.538{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7616D4E5683EAB64F3DF39C4ACCC9A8E,SHA256=3345621769569FBC5DD68767B5EE73AA5AFFEE66F095B880F71ED64240E1C8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054933Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:54.053{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD20BFB3304DCB513C5EAD56ABF9A3F7,SHA256=B7DC877748E7DBE9E8F0B0ECCABAE468875553EA79BF92FC84EEB09F54A16361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075327Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:55.572{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DD6E2A8703E3C772A52F7A3C5FA4F6,SHA256=6C49A279AF001C5ACA37903681271B7AB4F527EE67A5DCB53BD688BBD85914F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054934Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:55.068{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4CD52B95534C4CBD3754F35A664197,SHA256=7F521A8CC7E779283ADD4ACF6B15957FE3574D17E75D23EEA89A1BFA06DEB75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075328Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:56.607{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6799BA4CEE13C5C36E881A93AEE5C7,SHA256=5ED642E1EBA0EC3739D8D847B31448D402C9E29904E25D0CDA5DC6FCEF185E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054935Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:56.115{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828D55271DE84692551FE33030669A6B,SHA256=E29EA5FEAF0DF6FB14F1A73A75C36034953341B3DF50077C69FCE0489CA08EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075329Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:57.621{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B62D8028AD0FC0C6A26B286744BFCA6,SHA256=6ACE5B29A2448E1F8552F3ABBD603F4DE6AE779C217B868BE35E980E9928615C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054936Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:57.146{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25910C9899F62EF06387AB0A94750909,SHA256=4DEAD5920C02F25D341920137538A7007E9C61D1F669CFBDA0D651ABEB5938E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075331Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:58.635{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930EC0461408C4AEDFB712EE04B46D7C,SHA256=BD291707521CFCFEB6B352F4EEA8164EBF5BB26EE56D3F24A2E96E7D26A3ABB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075330Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:58.635{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ACDDD693F3184AF3DDDE85FD283D6543,SHA256=19D281AD3AFCF65E65279B440160404D41B7C73278C6D2679A602ED3F7A2AE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054937Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:58.178{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99245ADD0785E838EF0BD35C65238566,SHA256=49921239D01872A1512268D5C1F6330B1025A1BC0E4B8D53DE73F03705B04580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075332Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:59.667{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B0C15C7354579703E759E2731D983F,SHA256=E7F8989E9B47CD002A14CF8B7AF4E81ED7E5F3983DDD90F487D3DEA7E647E082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054938Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:59.209{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF126471548A43FAAAC8080724271A6,SHA256=AA9487D33AB4D55AC319144B3F5B658B74CF0FA13AC6481E791D62F60468F925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075334Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:00.702{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C54E553034E93E4B63F881659BCA24,SHA256=FB9CACD50CA01377B91EFDC65965B4461E385EB84F3DB9223420E9D80C90AAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054940Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:00.224{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A8A369DC55DA2B772010EA92B07529,SHA256=56524B9F461CF058E2FD4EE1C666639172C8FD74FBC09D8F9828978F7D6A3725,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075333Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:07:57.234{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56393-false10.0.1.12-8000- 354300x800000000000000054939Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:07:57.540{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075335Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:01.716{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E87F8999945E352C544211756FAA1A,SHA256=08D9FE4C4B7BDA719B9DC068AD0CCD4A6A816F0B02B4F698766122C971CB95C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054942Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:01.307{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-266MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054941Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:01.241{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A669D996F6A260070CE8E4878ACAF4,SHA256=7115AAE04E4AED94242B0990F1C28071D54DD0EC42FE785DDC6919959B03DB28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075336Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:02.731{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF05F8FE4B0DD7C0899EF4C3C24CBF2,SHA256=FB11BB69A0DA95EB2637E688FB3CAF13CC90EB3BD57A02B12278CCE75600AA46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054944Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:02.306{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-267MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054943Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:02.258{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8189899DCFBA24972E590CDC0D3CE04,SHA256=B34FAED6603D7DA95C9D38B8BA356F4CBC4A6B70673B0A4F396A85698286202A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075337Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:03.746{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6A9C2CB4F9FE4056EA113FCD23E87D,SHA256=9FB168A43418EBB0DDA16BED7FC3540975D7A373B3153374FAAEDFAB4D81B20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054945Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:03.264{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A8C0B4173E45B22EB05177B4E62D08,SHA256=4C2F547E8FF4185ACA494A04B8E6DDF1F456B034E45D760B3F8DC49013099E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075338Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:04.764{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A911136B9911378AF32152BC34044EA,SHA256=1EC0D97E1A3FE7B0F3FE98DD4F498B4F40FF6439F0FC12F67015C3C88B828D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054946Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:04.295{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821A7598B038065B2AC79D09B9D5DED1,SHA256=E90C3FB2E45F0852B26A59D57F517567D66D56C7351E2264B2D5FD7454FC0635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075340Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:05.783{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C372C4ED130F3C2C4ECE971CFC80DD74,SHA256=20322827DD8B9AC2E2F59CA202AB712885D17DA163AC1F2B6D9DBAA47DE8E891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054947Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:05.326{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B443E6EB30919821CCADEEDF3B5F2E3E,SHA256=4195959C3D637CF80AD99DE7576855A3F301FB6F8813A06770D6A09C2DD25A45,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075339Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:02.243{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56394-false10.0.1.12-8000- 23542300x800000000000000075341Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:06.797{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34019E9F9CF7FE8E58AD4A140A8D7F80,SHA256=E9985D93A76868114FC8A495CBE886B3C487DDA45125DE5E5FB0511F08C1CB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054949Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:06.389{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3D0C22CB17DBE832085C26DC60F556,SHA256=7061F480AB97357C55A04E3AF5188E9914DE2D0505A4EA4B8CEB3EAE75563DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054948Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:03.564{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075343Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:07.827{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019BC9FAE70CFA545C78716965CC2C90,SHA256=03F1B65348D49A3EA77830102603B7890CF0F671E0263AC03BBFA6D6E52376A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054950Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:07.545{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D945D4C5CB321490216F010DAC22D8A7,SHA256=C382AF50B9464B99D154607413DB2A0A9D3DEE562E9812FE782F9D72D65EEBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075342Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:07.228{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=072AA7C030628227C829042BC342A83C,SHA256=ADB21435BAA9509E4D581FECD0CF697C0BB9E098A9064F7C1B605DB8F94C33E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054951Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:08.560{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3317FDE52EBD91EDB418EA3B7B8F58A7,SHA256=E67D3B348EAEEC0AB7EF6C50850312D1D45E9A8FCF6321E9233A9DC7B59C4C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075344Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:08.859{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8D31BE5AEED732EDBAA179D7A30AB9,SHA256=728B51D9C85784500EBADBE2BB60D713F4B999FDCE39D2590930AACFC2F62EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054952Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:09.592{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB20C56D86A8A7C053CB7D314681CD9,SHA256=53EA5815A7B26464A4E01F1E2CE211EF9C3B04EFC72413D1BB3967BA280A4CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075346Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:09.894{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F6DA639AE4D4C0BF87DC601396A817,SHA256=03D317D96FE08D0AB919F304C1713A991E74E4D521434161142BC40324981DD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075345Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:07.286{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56395-false10.0.1.12-8000- 23542300x800000000000000075347Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:10.924{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574594FE3418017033549FD803ED0DF9,SHA256=1E19CB201695CC6CBBAE3B42FF04072816FD950296A0D104A2968FD2EDE650AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054953Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:10.607{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D6FEAC9D59C9748C24F33365C82DD4,SHA256=5780A135F729F885E1129A1106FCEA181A7230C5C89D260C1604A6707799D7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075349Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:11.939{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36392F13DC91A2F9953E561AF2706583,SHA256=DC26CF3E592F397DC3BBAD39DF64646434C211540624EA33AC7664F0B678DE6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054963Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.935{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0DB-611B-7E0B-00000000F101}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054962Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.935{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054961Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.935{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054960Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.935{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054959Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.935{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054958Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.935{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D0DB-611B-7E0B-00000000F101}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054957Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.935{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0DB-611B-7E0B-00000000F101}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054956Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.936{8A88D375-D0DB-611B-7E0B-00000000F101}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054955Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:11.639{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B07205EFFF7A402D12A14DB1B9FF9F8,SHA256=2515FCE466C6766E5B78704D63E988EC854182A73CC5B3190D3E95B5D6437263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075348Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:11.678{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-274MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054954Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:08.579{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075351Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:12.957{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5CEB717CDCA6633AEB1EA79E02631F,SHA256=B6C291ED1ED1B929602C1D53FD31B8B22917D533CB6948E215FDAF1571AABCC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054973Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.810{8A88D375-D0DC-611B-7F0B-00000000F101}54282508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000054972Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.670{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D3447A943872E9EEF23A286E2BC380,SHA256=04CFD4BAD02301BCFB937602B93963C1A0CB0FD41CFEBC38A6D51568A32576C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075350Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:12.692{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-275MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054971Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.638{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0DC-611B-7F0B-00000000F101}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054970Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.638{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054969Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.638{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054968Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.638{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054967Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.638{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054966Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.638{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D0DC-611B-7F0B-00000000F101}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054965Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.638{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0DC-611B-7F0B-00000000F101}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054964Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:12.639{8A88D375-D0DC-611B-7F0B-00000000F101}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054991Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.984{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0DD-611B-810B-00000000F101}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054990Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.984{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054989Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.984{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054988Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.984{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054987Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.984{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054986Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.984{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D0DD-611B-810B-00000000F101}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054985Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.984{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0DD-611B-810B-00000000F101}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054984Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.985{8A88D375-D0DD-611B-810B-00000000F101}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054983Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.750{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1754DFE6A6D505C729873D0F27152124,SHA256=93EFEB7B6325A7E1B5A17B1DAC1039E3E492F88F42347C1F58C19BFFBF435B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075352Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:13.974{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003C61F9E992A4DD40E85A9A74763565,SHA256=3CFFF429477BA2757271B0D4B4E37F3CA38B8288A077C08AC0225E18BC867B52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054982Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.467{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=73BBA9B1CB387988CC75D7E1DB2B2C58,SHA256=DBDA7669FF613B9DDBDE9244C348A90B89C19F7980448311FB03D1CFC505B457,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054981Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.310{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0DD-611B-800B-00000000F101}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054980Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.310{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054979Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.310{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054978Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.310{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054977Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.310{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054976Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.310{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D0DD-611B-800B-00000000F101}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054975Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.310{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0DD-611B-800B-00000000F101}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054974Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:13.311{8A88D375-D0DD-611B-800B-00000000F101}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054993Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:14.844{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D4740F48102A0EC3025306978BA542,SHA256=5744D76A8D03C43FF7E4FBC0B1115FB9548AA0AEBA16F7F4D654114052EEA779,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054992Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:14.156{8A88D375-D0DD-611B-810B-00000000F101}59085156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055003Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.968{8A88D375-D0DF-611B-820B-00000000F101}13084496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055002Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.875{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F898665E4C10082B2ABEBD677948A5,SHA256=0B03BA9C1C2790F006FCAB6760D5B3651F2166A276DD58642A4AC374E37F54D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055001Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.734{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0DF-611B-820B-00000000F101}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055000Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.734{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054999Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.734{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054998Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.734{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054997Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.734{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054996Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.734{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D0DF-611B-820B-00000000F101}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000054995Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.734{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0DF-611B-820B-00000000F101}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000054994Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:15.735{8A88D375-D0DF-611B-820B-00000000F101}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075353Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:15.009{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D51FC99B3B8803B07328D6655F32F2,SHA256=862BC37B1EF07F8C60045A71BB7B7909775C0DE16522C229115523841E84C2E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055021Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.968{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0E0-611B-840B-00000000F101}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055020Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.968{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055019Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.968{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055018Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.968{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055017Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.968{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055016Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.968{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D0E0-611B-840B-00000000F101}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055015Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.968{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0E0-611B-840B-00000000F101}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055014Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.970{8A88D375-D0E0-611B-840B-00000000F101}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055013Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.890{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02E3A310995218796827A32ED493D3C,SHA256=C0FBDC956DE9DB19AF8398F97E707E82ED292E3E370C77052EA34019559A27F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075357Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:16.934{2F630BB9-8EB3-611B-1600-00000000F001}1304NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=7A19EF82F55BB623B671C86E33DBEC24,SHA256=AF2474F6DE12CEEF92B111A8B337DE951E3881DC21189420343D38F481684FD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075356Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:16.919{2F630BB9-8EB1-611B-0B00-00000000F001}6324412C:\Windows\system32\lsass.exe{2F630BB9-8EAF-611B-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000075355Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:13.233{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56396-false10.0.1.12-8000- 23542300x800000000000000075354Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:16.035{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDF4EA88424B4AF5B7CBAF2188DA793,SHA256=BE032195A2B0945AC2BDACDF21960D1789CCD9A1376255BEF9A669AEB694A334,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055012Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.343{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D0E0-611B-830B-00000000F101}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055011Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.343{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055010Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.343{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055009Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.343{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055008Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.343{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055007Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.343{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D0E0-611B-830B-00000000F101}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055006Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.343{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D0E0-611B-830B-00000000F101}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055005Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:16.345{8A88D375-D0E0-611B-830B-00000000F101}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055004Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:14.565{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055023Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:17.984{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85006548B29A4E0A50703F7061F745D,SHA256=82DA2717ED2417E5BE1E3B4948D106FC77949C698F793FC78A24EA26DCD71B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075360Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:17.933{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA6F6A1E8A84DA8A3F96D63DE57F0988,SHA256=F0978B542CAADD08AB1E3CA9D7FE8D607F1966126AEEF3C96A9F3060D65BD776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075359Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:17.933{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD0CA3AD1C4767EFE577C28F0DB307C,SHA256=45D95D4EA19E868F23E5A5F083B016E1ABD7FCEB35102074B323EB0D8930FB0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075358Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:17.071{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC80F7737F3833A2E46D9734E190AF2,SHA256=AE45C94C346D766D564BED081C1CA5836197B59875CC65AB6F3E719BDA5854E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055022Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:17.140{8A88D375-D0E0-611B-840B-00000000F101}49604032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000075367Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:16.065{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56399-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000075366Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:16.065{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56399-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000075365Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:15.957{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-86.attackrange.local56398-false10.0.1.14win-dc-86.attackrange.local389ldap 354300x800000000000000075364Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:15.957{2F630BB9-8EB3-611B-1600-00000000F001}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56398-false10.0.1.14win-dc-86.attackrange.local389ldap 354300x800000000000000075363Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:15.949{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56397-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000075362Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:15.949{2F630BB9-8EB3-611B-1600-00000000F001}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56397-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 23542300x800000000000000075361Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:18.101{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FF9EEA935CF17DD4F1B5E434DF46DD,SHA256=519C8BA3C9D461375B25F581709D3A8752896A06163F4780139FDA1D1C7496A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055024Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:18.640{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055025Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:19.000{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C4470AE2E41D245E3DE9FB6BE1F1DA,SHA256=8D53B900E44A0882FBEF35ABB3645EE445291A2C2D5E1C965DF8ECC16FEB4949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075377Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.631{2F630BB9-D0E3-611B-730D-00000000F001}78047864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075376Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.468{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0E3-611B-730D-00000000F001}7804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075375Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.468{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075374Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.468{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075373Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.468{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075372Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.468{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075371Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.468{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0E3-611B-730D-00000000F001}7804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075370Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.468{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0E3-611B-730D-00000000F001}7804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075369Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.469{2F630BB9-D0E3-611B-730D-00000000F001}7804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075368Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.131{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70361C174A1EB27301EAF259625C006C,SHA256=6B2FF02794FB3AAB57D4B43036942FF3A7B7FA4E6CB59B9EBB5C6FE96FDDBC89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055027Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:18.115{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000055026Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:20.047{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50CA47E9AEF99C94DD5B3B5DF0D130D,SHA256=DF429F93947AD1025285EE5551EE7CE11F96F882E6BD3CF8F0AEB45891B5A327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075394Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.650{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0E4-611B-750D-00000000F001}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075393Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.648{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075392Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.648{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075391Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.648{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075390Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.648{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075389Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.648{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0E4-611B-750D-00000000F001}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075388Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.647{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0E4-611B-750D-00000000F001}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075387Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.646{2F630BB9-D0E4-611B-750D-00000000F001}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075386Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.152{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE69B3089780A4BE48F2656CA8696F2A,SHA256=288787D4661FF39B61234DA1EABAFE68E171C4549D5294549259BCCE3BCB82F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075385Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.151{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0E4-611B-740D-00000000F001}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075384Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.149{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075383Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.149{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075382Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.149{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075381Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.149{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075380Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.148{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0E4-611B-740D-00000000F001}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075379Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.148{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0E4-611B-740D-00000000F001}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075378Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:20.147{2F630BB9-D0E4-611B-740D-00000000F001}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075413Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.982{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0E5-611B-770D-00000000F001}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075412Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.982{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075411Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.982{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075410Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.982{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075409Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.982{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075408Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.982{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0E5-611B-770D-00000000F001}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075407Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.982{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0E5-611B-770D-00000000F001}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075406Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.983{2F630BB9-D0E5-611B-770D-00000000F001}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000075405Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:19.226{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56400-false10.0.1.12-8000- 10341000x800000000000000075404Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.466{2F630BB9-D0E5-611B-760D-00000000F001}81207476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075403Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.313{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0E5-611B-760D-00000000F001}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075402Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.313{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075401Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.313{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075400Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.313{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075399Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.313{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075398Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.313{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D0E5-611B-760D-00000000F001}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075397Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.313{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0E5-611B-760D-00000000F001}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075396Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.316{2F630BB9-D0E5-611B-760D-00000000F001}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075395Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:21.166{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B263A8FFF552CE6E9942B9854860A3D,SHA256=51BDC64C66AB5B77B2719B7C98155D2AC10F47770B14E51A55C31F7B99BE98F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055028Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:21.093{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF02A61F94AFB608E57C9E9B68C01C5,SHA256=9B603C436C0DBD4A42AAE6CA2C2D85D4899C6BCE2F73372C74BE366A791F32EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075424Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.799{2F630BB9-D0E6-611B-780D-00000000F001}54964844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075423Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.651{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0E6-611B-780D-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075422Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.649{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075421Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.649{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075420Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.649{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075419Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.649{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075418Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.649{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D0E6-611B-780D-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075417Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.648{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0E6-611B-780D-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075416Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.647{2F630BB9-D0E6-611B-780D-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075415Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.166{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB37117BB84B11440BB467544CC65F9,SHA256=74C0DECF7EF6B3697EDAFA85C1A3AB9B546696199C788902969E9BADB484804E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055030Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:20.534{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055029Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:22.109{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90528431E2607BB0E98D3A5253AC07B,SHA256=D5488E1A3393D2880C85A75F28BEB8499822750C37D2E42605195B1DBB0E5A3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075414Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:22.129{2F630BB9-D0E5-611B-770D-00000000F001}51885196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075425Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:23.167{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9475051DBF3200B04CA7E480DDE3851,SHA256=7CA811F16113CBF519994C7AC9266A08F725245D4D5D73E9223FA07DABAC6E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055031Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:23.140{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CE2156876D22BCAE6AA50FD91170F7,SHA256=E2604EBC9752C8F3BCBC45EB72E9937952D4972DB9C42B703664AAC8473C9EB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055033Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:24.422{8A88D375-90A2-611B-0D00-00000000F101}8084324C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1300-00000000F101}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055032Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:24.156{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14B5FCDD03FCC9B440D5FBC46F2B08E,SHA256=C48E736C4CDDE0995ECDCBEC10FCF8BED5A9C635723A1941371052FC2BBCC0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075426Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:24.181{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36575462EB6140D3E30A542604D67B5A,SHA256=651BF1D0F8B1E56B8192F986A63A96A2438EBA7C639E3BFB8044153AFA74A7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075435Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.195{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF546DE61263EC3123AE84BC9C6416D6,SHA256=2E316EC4F74E85159A68BC50D855C9F17BEFCA557A2D165374613237EFC1CEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055034Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:25.172{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CD9D99663CA6B2E55550630EF2CBC8,SHA256=F80F85C1BE432144B93F6B3DE5A432017182BBB4D6553182224B727E1FD10CDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075434Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.080{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D0E9-611B-790D-00000000F001}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075433Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.080{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075432Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.080{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075431Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.080{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075430Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.080{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075429Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.080{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D0E9-611B-790D-00000000F001}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075428Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.080{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D0E9-611B-790D-00000000F001}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075427Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:25.081{2F630BB9-D0E9-611B-790D-00000000F001}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000075438Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:23.908{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56401-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000075437Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:23.908{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56401-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000075436Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:26.210{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3B051AB96F39D03C6090E988555020,SHA256=C78EDEC652BA9CF1D463FB1E627275D6AE7F538113DF72B4568F1F9B44F3BBA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055066Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055065Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055064Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055063Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055062Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055061Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055060Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055059Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055058Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055057Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055056Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055055Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055054Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055053Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055052Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055051Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055050Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055049Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055048Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055047Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055046Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055045Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055044Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055043Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055042Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055041Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055040Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055039Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055038Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055037Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055036Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.468{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055035Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:26.187{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8968F94E92DD5101EDF64215168345,SHA256=813CE6E8C88C35D54DB46A9025FAE700517280350EE43D640ADD5481E36FEA30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075440Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:24.385{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56402-false10.0.1.12-8000- 23542300x800000000000000075439Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:27.224{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9011E9953395ABCFF0C9D1A90DEFEE00,SHA256=68468C90209C243D3BD6B49C192614F118A49024EBE808E87ED1A86398189696,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055068Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:25.627{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055067Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:27.343{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A9D98ADA3CCBD8365F14E20C6E6146,SHA256=BC6B56EBB09C1236E94E33C9A1C80308B1BE469DE8071FB218A0D419089A2A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055069Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:28.422{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F881AE367A1353CB5746AA1B30F4245,SHA256=BE23948E061CCB1FFD05B459D02B1869F5755D8084B3BBF22F0A3C2D6F325C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075441Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:28.241{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C004B70D26C76278F7C37D5E5CDC930,SHA256=2ECA5ECA4E2F549FD6EB8F5897DF70766E7ACA86DC29A0AD2E160E401E3D5017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055070Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:29.437{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6AF5B0D894E44EE5503BB1AEC50CB3,SHA256=90B930F4B31ED718F3C08398BDCE57D7BEA25E72EFCFCE4E3C92724A1A31C6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075442Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:29.261{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA6FA6D6229A49611C6D62D6639FCB2,SHA256=52BDCACF3B7BDCA7BB6E743E0BA306F8A38381B1124C725EC6054E08CBA0063A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055071Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:30.438{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD12CDDFFCA571D250A54F1BBC401CF,SHA256=F18F402E514D911597E56D977D067E268CEE51384B3ABBF1BAD94C00EA15383E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075443Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:30.292{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0DD825F4674E5D812D88487AF33B03,SHA256=7C9234CD34671615878B2208CA4CC81D4A6BBC1F396972C881AC618D7A4FC401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075444Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:31.306{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9059BC9198989A42EA4487556C6436A4,SHA256=B47203CD0EA73ED3A065AA293DC610E89BB166585943D17B9FE6244725307E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055072Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:31.453{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9B7397AAFC5F09477D348FA028D36E,SHA256=7E0C096DDA6601568AE5AD504082C0D6CE29F03F975D9529F6938D3921248953,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075446Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:30.302{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56403-false10.0.1.12-8000- 23542300x800000000000000075445Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:32.321{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BA5C2AAA8CAA17FC68DFD99CAF7FC2,SHA256=CABF4070117EC3F2B2665F1093EF817717CD640BD8BE2F7A68CACB284856FEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055073Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:32.468{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454D1832F174D6FE70ADC3EBC6819108,SHA256=585E2CF87E0C6E457329E74BE3D3B213592492E6DE57D79D836330A0D37DFDA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055075Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:31.659{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055074Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:33.484{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D92C4C6C43955BA83831A901B18E51E,SHA256=993BF744A171AB893DB921E4DFC80CE709022C2795703100BF53F0A06C35BCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075447Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:33.337{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5272C556A1F315AB865ACBF2C17D651,SHA256=BE86D96748DD66EA608CE36990AA551694E3D4A9DB27EC85761B9BF2ABB1A536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055076Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:34.489{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05F695F8C16D491397BCF2F42E56EF6,SHA256=55AC01A37340C78FA320619C3D9A8E74792B442B4EE654C1FF405FBC9E193EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075448Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:34.356{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C64EDD2D808956930B355E784063D0,SHA256=17D03CB6F4B30A5308937A9C973CB6F77B1DC501AB0C8D9805D4000AA504FADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075449Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:35.387{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FFA1738EB1E815DEE6B3FAF60AD297,SHA256=532AC30A30D7CCAAD7434B9496069BDACC5734053F27E203DBE87A256B2DD4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055077Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:35.504{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2DE1D65CBC038E76CAEEC23D7D3F74,SHA256=48D598C19E901832E3CE45FD877AF81C0B6A84777E525CD9173B2BE53AB3A00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075450Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:36.403{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D14E2C415109EA4C851CD9026FBB43,SHA256=A565A4B64FC2D1B55F4E874B05E1B26B9466C2700400FEC7C7CDFDB03BBDAF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055078Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:36.551{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDA4C9FB934F08055E9B9C77CAB9A96,SHA256=ABAF82D76A376FB6E8EA78962EDAB09A1281ED6E99EFFF4BBFD124AA416C3B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055079Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:37.567{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3060572C13C4282CB92D044DE0168BC,SHA256=8F9C6F7C5BDDADC6E6E98DA135CF716C6595E4D509D3B9D098C533490FCB8F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075451Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:37.416{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8D616AD7EE51242F7B1749A06E972D,SHA256=DA27283810590F53331BB1BACC9050F62E87BE93B472842793A2A90828E287AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055081Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:36.726{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055080Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:38.582{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F605787D63C21C4D0C7A79B91FB45EF7,SHA256=D3B0F80B5B92B9D97AE32DFA7F695217E26EC915F7D03CAC0CBB96F5F6BC120F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075453Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:38.433{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A41BA678F65A3318C0E10FA3CD7125,SHA256=2D482FD6C56F68FECDC8CEBA992882F76B39408653A31C7C067CE7F83D6FC3D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075452Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:35.376{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56404-false10.0.1.12-8000- 23542300x800000000000000055082Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:39.629{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7907CC6C5C3B0D7FFFC3F1B3AB9F8349,SHA256=BC7A4856A88485A50D2CEBF0D9C4DF88F30DA9B9B998B5AF7588D7EB3962C009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075454Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:39.451{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02A00267713BD972055416DC35C8259,SHA256=5F7C4538C26C937D29011662033C04DFFCF3428F23A3A1C1567CAEA3043BA644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075455Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:40.466{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4549FD35FE635F4B44328F64AEF150E0,SHA256=0A5B0FB6ECC41C8009FCB928F11DBAC9FBD2C728C598EF5FFE1BE9E99DE1A676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055083Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:40.661{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D06594643572307C8D88B2FDFFCBC1,SHA256=811BF5D77170DC47009264FD9736D7253F5CF9AF9B20F5B81E07F791D9E6828E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075456Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:41.480{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250A2D5FD51A3781C98567E0BD154A81,SHA256=B32616FED866EA625F9E2A54D5A3DB49B7118B98E4D0CAAD7A74DEBDF1F9187F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055084Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:41.677{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B72C75B4A246CD00246BE1AAB0DD56,SHA256=7EC0687F1ACC0F0D075AD0BF9EF0ADCF936825A9E636CCE6370CB925ED919249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055085Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:42.723{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C9890AEECCC80924A3A7AEA5594119,SHA256=7C358EF0ED9317F7E743C6514CF0176288CB0DE0B6C88D83CF3C9163B4DCE6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075457Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:42.495{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B1A095F8ADEEB4DE1426D8DBEEA184,SHA256=98CBC37FA68CFCB073F8D33862F2F829DC1CABBC7A144A20588DC0C237DBF775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055086Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:43.739{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25462AA47E397DCB94CEC9F3552963F,SHA256=F41A68453E0524D5E897B283E2FDF9C3B484B38EA436B416DF08C6EFC6F16664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075459Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:43.509{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270EF5316E280811CA407CCD3602E540,SHA256=D1541FE5BB276932D83AE4D9DED244527ADF2A0230E31FCD4EEAC45843D7FDFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075458Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:41.254{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56405-false10.0.1.12-8000- 23542300x800000000000000075460Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:44.545{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DA7C46F09CFEB47DBB3F1EB832B3C0,SHA256=20E937B4D836695556EC513590E0F4D66CA0488C923F14D4A5D7B46BD14C11DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055087Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:44.754{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6667F762EB6733261F2026474447A3,SHA256=DA0B1863B2EB906664C5F88CA91F33911925F603453344200D409C6AA3FF3D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055089Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:45.770{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B19A794B9DB9DAE941DBCA4CEF51ED3,SHA256=5DCD31C787C616023DB3A5CDF7E5F81D6327ADA5A8F354F17530DFDCA498EE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075461Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:45.575{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77047A3D0BBFB8406798CEEABA2D1B24,SHA256=28B3D430A8A63789BD6758812B3D291F14CD17141037645C57F0F3AA0AB948EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055088Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:42.695{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055090Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:46.786{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67F0D08AC99D11ED265C7ED2B362CD7,SHA256=88BEDAD481F8FD6526F16BC2DCCDFD09C91C74203A62F8EFA6947938E1F249DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075462Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:46.606{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A1089EA5776DD8A9D2E8CE5A5D2DF8,SHA256=5EC0EC5333860207772DC23FA00E5399941CE2B8A7F42D44A8C794EC57458A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055091Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:47.817{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D0A08BAC5909D1E410091410EABF12,SHA256=ED4EA4D8B8226B2F3E269DD8722F932A0C89C98628C7C195122CEACD16458F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075463Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:47.642{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690229CDF11569A34E220C5326D09EB2,SHA256=06E192A5DBF9BA4054A04949D5D59AE262EDEDA9371CDB27A9800172F5ED4CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055092Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:48.832{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B17B6F16B027B95E2D8D3C1490A837,SHA256=52F5EDE833A8316CE9A4F7245F5841FE71B0F41ED541CF982CC17A3D26D788DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075464Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:48.672{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B7A3A6246CD185E29266EB28A62FC8,SHA256=BD8AF6677E1B6011E52A81B51260E4299C8C0A0978E4E1830B5EFED51B68ED43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055093Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:49.879{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85BC793ACF1F61CDCFCAF721859A00C,SHA256=F5984CCD1F132CE4252B93E1528E07BB6D34A327A921DE05A1742762AF613334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075467Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:49.672{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EDF0D853B9FF9CFD2D4AD219DA8292,SHA256=7AE9957FDA75B98848DF52AB4FAC016C95DBE0DF4C47649694C7C6A5A5159D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075466Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:47.247{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56406-false10.0.1.12-8000- 23542300x800000000000000075465Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:49.024{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055094Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:50.895{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C6598D6160FE88F7082E057CF18839,SHA256=FA9D1D405D3C0E7A7E68920566FE133777CF80D9802C8513465EC1CFAA1E33EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075468Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:50.674{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB6E7520F59FF3AB5785A887327202B,SHA256=48DBCF0C9FF0CFA5207E793EEE0E0BE1FF5CB85E1D9D3CAD85E8514FC5338B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055096Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:51.957{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0E807D1C9C22B0090BC2C917CB75D5,SHA256=6C0E75C397CF3D17FCF32E4D56DF8D111D0EAFC5C4B09685D6708C6C04AB2249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075470Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:51.689{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41869A2BC66D0EE9AF77AE43C57CE399,SHA256=C49AD9DCBFBBD561A4C1A93371C4E3FAFC9840D5824ADA25DCCD16E1D49A0825,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055095Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:48.710{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000075469Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:48.147{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56407-false10.0.1.12-8089- 23542300x800000000000000075471Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:52.704{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29EA6E0C5CCC46DCB2593212F0789A0,SHA256=FFB6DEA9466E152CD795B665749428434ACC1EE635E1BB3E25F5FBE4715CD119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075472Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:53.723{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7A82FDD3A6A335D992C0ADAA415432,SHA256=FE8892FB8D2FF749520F34807A53C8D3BA2D102BF4D1170A1ABBE5F8B7BDE166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055097Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:53.004{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737FD8D2490FE8E34A390571BBB3B4E2,SHA256=C6271594B2CBB271E7D07EA4073B3EA97C5FBCC3196CA50ACA453E0857245887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075479Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:54.746{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45C25F10B4381A72C26E6980C486DA7,SHA256=F19B2855466B3CAAE9A93FB7D3AF9F9A1FF035C15CAA2BBF5C50459D470C17D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055098Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:54.006{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9995E765DBD6C1477F3EF55A9FFE3777,SHA256=BA36CE4A3F1B5DE1612BA62BB9926A2C2DB7BF761FF004CB0C2AE4D5887E70AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075478Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:54.072{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=D72DD31015A2EEB8214139A9E0216279,SHA256=246212F230767164D3092509B2A4B5DC93565ACAE5CF99CFC3EE70AF9DB71C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075477Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:54.072{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=64322F8D86FCECFF2F6DF28E7CF1DFA0,SHA256=E92D0CD116D9BC741E06AE0B565C7D779B4D33CBC860772A0409239D867AABB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075476Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:54.072{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=56443F9AC1EF20015CD0EBD517367B14,SHA256=5965F42211677C6CA12AB686C0688F385ED08A45B7EE2B2CF402FAB95C8C4E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075475Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:54.072{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=F543F4E6640962D1AE4165C3387A97CC,SHA256=7FE9D99BCF44720C42E18EE9BCF543D7830D3DFC027EF9F70AF04412F4285465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075474Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:54.072{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=C0F3C5745E398BB52C79B8B85040C42E,SHA256=22988BFBA99D99C95653968C973CEA839E1CE656ACE25FCF4244A8001C816F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075473Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:54.072{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=A1916C61BC015FAF9DBC33233356F0C0,SHA256=491B33DB060FC8576FD06B8EFE98507E0844E60382EC1E78F11240C2FB4C92C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075480Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:55.754{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9246F979D143DF4DE7382A2BB79619C7,SHA256=A2AE6E435176D59CAB78005B81BAB3962B4763BD1A75B55C55E664A95C519A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055099Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:55.022{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81C22C91C2CFA9C06674DF06B1F89EB,SHA256=18D9F81A7506C949B740DF2AE0FE14E921C05D71A7CEA284B39E1654A51D2AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075482Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:56.769{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B96DC3364C164A38119E05193B7DE2,SHA256=BCD013800518225DA615BBA6CC2E0274AB31B2B2F0FD09113A4EC8F54FD58A3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055101Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:54.649{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055100Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:56.037{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCDA7B196C550124827D1D8D62B6DD7,SHA256=0B5BC40535F03CB090F59480A35E5A60758AB3BB299DEB9384BE0FB7E46524F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075481Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:53.245{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56408-false10.0.1.12-8000- 23542300x800000000000000075483Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:57.783{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB628ABF7F5DB4A9C9963DCEF08FA72F,SHA256=4286EF32490631683C19F0F783A9FBF209134F0991E724B9928A1E3AEEE2DF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055102Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:57.053{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2E4D406E62905380C1E2809A19A5E8,SHA256=E8B44B4B88FAF90C6BE83B5D24E5FAFA5D4B6D1DAE1426D038EDFC6045F61192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075485Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:58.815{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF70964BE4572D1947C353768BD8273,SHA256=61217C57F70AD3DAFFA9047299EA5EC997D58231E8612C0131E0F5586BB1C957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055103Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:58.084{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F51369D5F8C6851B33AF5D81E90483,SHA256=8788E9EEEB2AF2943FAF530453501A9C648387FFD3651F581F33F59E357FF8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075484Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:58.651{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BCD49BAE0573AD0A89991556CFC1A2C4,SHA256=08133443F2A222A7B10A49BA409E68E0BA6CD817FE7E887B6433B512F6C8C7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075486Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:59.850{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E076D5F8F7E06B9C1157711B53E716E8,SHA256=965E30A152E86F30CFB1882B86033EB645EE99B9883DA7D7E8A663066CA932D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055104Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:08:59.131{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B938108F3DFFADFA50A532AE69DB87E1,SHA256=637C6A1B955FA50A6FE225B77A25778A3B09C1C35BB912278422D59BB9D246F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075488Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:00.880{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B230C68334E5C53B54BDE61A08CEC42,SHA256=D396E3D36CBFF308C538DE85F44594E86F997417B4520C29B7AEC64357CD9F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055105Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:00.178{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AB44720E02EB48D796459296BFA09A,SHA256=23D9AFB9AB17F3D025A27675D3467048ABB34D941234A492D8F0CA5D1C5C151A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075487Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:08:58.277{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56409-false10.0.1.12-8000- 23542300x800000000000000075489Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:01.913{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009C06576B2AE3A74229C32432E8D958,SHA256=DD22314A1006645FAAED18A16DE21F6546AA62CB37439FF97FC4254E21F36D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055106Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:01.194{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAF46793AA44F0B99E6C2FFEB62A63A,SHA256=64FD4495274005BB8CFEA84B50E807B7DE5C32E7C39D6E8B0FDE0E818EF64F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075490Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:02.931{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356F2DDF2A2041D10510085E7343B3EE,SHA256=F43D393C9B102D43F6FC744743BDF933ACD42058566120077E8773F5CED26196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055109Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:02.823{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-267MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055108Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:00.602{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055107Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:02.209{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE2C35723B14FBAAD7AB60BECF6A4A3,SHA256=CDA37602A7D7522BF48BC9F8E8DF5096B6ECBDAE2093FAE1BF6F84E57567DAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075492Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:03.961{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35201956ED3111A2E775D2DC6B1C0ED,SHA256=E1CC5F449F7B9774B9B545960A9664EE3D898EA00604426CB99FD56B87F8A38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055111Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:03.837{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-268MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055110Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:03.211{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B202F049FE95790217DD089D71D1B757,SHA256=781377F7A7E352F80F55825B9BC781BB9BFAC0FB064E08E9B9A145C10C76C5CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075491Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:03.330{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1600-00000000F001}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075499Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:04.975{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CA252662FA36DAFB3B59E0D9B12649,SHA256=EAEF54AFDBAE24BF8D7124271AC4D39646170C264CCED9783318BD9BD12F300E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055112Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:04.224{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C01CE23BB798B65F9FC782633D63E97,SHA256=3B48EAC70D1EE04FD1084FFDF119AEAE5EB656A14F6A23953ED3369C1AA2DF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075498Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:04.092{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=DA7BF3222FDAE2184E0C8DE625A60206,SHA256=1ABA97550AB56D89EBC6987939139C77FAF9C8B6F38E1A4A87946A907851229F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075497Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:04.092{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=9EADC78CC6EE68BFB0BE24763A3FDE97,SHA256=0E182EE366D461D4ABD70AF6D8AC0B3AC2420E96D7257144FC74F71696F01549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075496Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:04.092{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=2FFD0B29AA303B9D436FBDE010B31206,SHA256=F495C5C4E62580C3CD6CD7962E8FA70D79D7201664B16509EFB7EB46571D8246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075495Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:04.092{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=D30AFC4EF0D7E806B15F498617490E4B,SHA256=233F44C4AA86148063EF611B59394EAD63952A9BB211FE420669FFCEFEF38C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075494Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:04.092{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=661F70DE67B596E9DCEFF2008000AD66,SHA256=0FE228892E15C3FD41B000D4C2FE46BC41AB9A2C1001125BFC9E0A6D1547793C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075493Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:04.092{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=81B918CBB5017D987C26537AE2DFD372,SHA256=2C60D6DA992F1FE1BC25BD4A0EE3B72769DA5CAFC1689C997FB79775FD3D1758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055113Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:05.274{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC96C6528885F097C883B13660706A1C,SHA256=7752878D3FC63D973ACBF0A5CA0E66D84978F44AD5250CDF1C5126AB6B37511D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055114Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:06.290{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD86F72FAD6EAC55542064BDC2588054,SHA256=37913D7A685A5ED0B9A56EFFBFEA683BB1AF6327E8AED139318FBDF21BF3D5C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075501Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:04.202{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56410-false10.0.1.12-8000- 23542300x800000000000000075500Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:06.007{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69790F8352F21840CD1D1E21E5E611CA,SHA256=149D7D6D4F92F54C1AAA7D10ECE4D89D5EC9793D8F6E4979A8A2C4C10ECF3694,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055116Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:05.651{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055115Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:07.305{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF7EB62610EBC40D4BF0AFBA230B666,SHA256=98F6BC304C4E32CED65410091CFF1110629FCA9E3F1F352248A1C87FC6DDDA53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075505Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:07.573{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000075504Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:07.573{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075503Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:07.573{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1035836.TMPMD5=5DC7F12925A3AFE1350E22C4D18895D4,SHA256=C9B1BF1A545F85BBFF7598EC849E260DBCB3503CF53B1AC3CC4FEE256B700E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075502Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:07.026{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1427871CE7CE6A4D304AE007A390ADA,SHA256=5A6431B56E50786C97E23A1957A0DC0FAFEB1080F0A9E50FBF59B8A7DBF10E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075506Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:08.041{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEF7BE9CD9CD8843F426DBDF2DA69BD,SHA256=E265D3C80316FA0AC97FA72DFA30EE9B8185E60D849588C1A1433E158D166FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055117Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:08.337{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA6B8B1BB0837E99DD6CCA278E9C1AE,SHA256=BE5295304128529C22C46195FA59012B9AFFB971D2233C37DAABB6B81B94DB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055118Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:09.352{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C9B6BDD55B133A8FAF123C91640B23,SHA256=9A6E02F75E8E482E1019806D90B52FF7F50C9701C78E73D06B554D56824355FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075513Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:09.124{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=1C6C871F742A0CF0AFD125B0E5FB5B2E,SHA256=AD3186B83A7D6BFE4DEBA7CF412BF720B96CD05158BB4504689889D7DF006A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075512Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:09.124{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=56B8AC84CB9C414F5D978A556F0639C9,SHA256=2031FA6880BD36EED3BC8DE7063A600B5405AF05A43FE27ACD532BCA3A345643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075511Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:09.124{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=96E14923017308C5F386DEDDE02EAAD3,SHA256=B046A17095CB4F65FB358AA56B196CCA0A1190AA274C1DFAA507A323550A3630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075510Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:09.124{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=DFC18D08911B5F36B23CDD05A24CA354,SHA256=2CE68ABCF73F15721BC8AC21E020E5DF8FD7987BFD42EDA9F97001FC078FABE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075509Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:09.124{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=289855A032F74F168A6666B70DDB712D,SHA256=F338977A15DC162D0BAEB867AC19888CCCA43BAFB450DEE569AD693E54B91756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075508Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:09.124{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=B70DD14FF470B791954ACD8087B21218,SHA256=54343EAC6A09ED24B9D00EC4320E94E67108A2BC80391B38C74D5BF4E525DC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075507Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:09.104{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF2D5BAAB8C69A32DDC00B69052B6A8,SHA256=1C7F11B903B6218C2901183D15C00B7E17EC90CA2E00D657C916E0B1A397D7F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055119Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:10.368{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1398701CA713197925F48B6C4237CF02,SHA256=F05A8D3C2C6579239B13700E9EA01EE03F7F0646326229A3E87823B5B67943D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075514Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:10.138{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977DA7EAA80A4F137832CCBEEF2AC04F,SHA256=5514C9EAD722A98611F98627FB3A90D158E84E885242873CD0E4820F44776065,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055128Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.946{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D117-611B-850B-00000000F101}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055127Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.946{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055126Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.946{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055125Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.946{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055124Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.946{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055123Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.946{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D117-611B-850B-00000000F101}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055122Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.946{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D117-611B-850B-00000000F101}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055121Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.947{8A88D375-D117-611B-850B-00000000F101}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055120Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.383{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FD645CE6E4097DC2CCDAD6478E55B4,SHA256=FB8E1888FFEEDDEEB598A9326CE48FFBCA1CE2A9060DB39E4247378AC0B6524D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075515Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:11.168{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008D44E22803517D05800A4AC5F60536,SHA256=52C0C63660D97377708C12E7CF27767216E42D3C040777EEE06A027B402015F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055138Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.821{8A88D375-D118-611B-860B-00000000F101}30446044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055137Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.633{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D118-611B-860B-00000000F101}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055136Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.633{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055135Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.633{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055134Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.633{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055133Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.633{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055132Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.633{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D118-611B-860B-00000000F101}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055131Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.633{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D118-611B-860B-00000000F101}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055130Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.634{8A88D375-D118-611B-860B-00000000F101}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055129Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:12.415{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2A6201CCEF52102C7DD6E38AADF6C3,SHA256=2D7DFA0908B6B19569F9EFA9FFABD2C7C37BEAC04E7416788A2C2680E892FEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075517Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:12.182{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A392CD7B95FFF4D587A4F5A2C2988B9D,SHA256=C9B28E42257E351112BD1B3694B919935D56E2D1860CED0DF15865C0498DD664,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075516Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:09.215{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56411-false10.0.1.12-8000- 10341000x800000000000000055156Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.931{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D119-611B-880B-00000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055155Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.931{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055154Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.931{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055153Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.931{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D119-611B-880B-00000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055152Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.931{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055151Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.931{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055150Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.931{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D119-611B-880B-00000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055149Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.933{8A88D375-D119-611B-880B-00000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055148Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.477{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=26E045F1993516C3F07F676448BF6E80,SHA256=13CB1708FEAC94739EBB2AB20173E0BD3A5C5A4336B7008609F02E76B0F9A7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055147Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.446{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4D5378195031DBE3995AB8FE7D607A,SHA256=45714E70C8561906A168593EDBEF5D61712D15DAFE0AC909F18CA949780A1CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075519Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:13.221{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-275MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075518Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:13.199{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F8002C87E010DFB869503A071DC030,SHA256=6F4398607E91CF23D17FF8BD0A7D5A04A1D555D7188456702AC75803DFF4C014,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055146Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.305{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D119-611B-870B-00000000F101}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055145Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.305{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055144Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.305{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055143Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.305{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055142Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.305{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055141Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.305{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D119-611B-870B-00000000F101}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055140Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.305{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D119-611B-870B-00000000F101}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055139Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:13.306{8A88D375-D119-611B-870B-00000000F101}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075521Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:14.234{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-276MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075520Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:14.218{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB16B7CAD913EEA1BD69DF5A7043B60,SHA256=612DA1ABB144B9F30810D4CB8BB0792B0188464F86575AB890B10A29FC6E7A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055159Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:14.571{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD323DCF379DEDD3361C69769491E687,SHA256=B7F71671D1E3245C4D5A852DFE8A33736143088BB9A551532C7931DB4C2D5568,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055158Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:14.119{8A88D375-D119-611B-880B-00000000F101}60164920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055157Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:11.683{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000055168Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.703{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D11B-611B-890B-00000000F101}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055167Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055166Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055165Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055164Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055163Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.703{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D11B-611B-890B-00000000F101}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055162Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.703{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D11B-611B-890B-00000000F101}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055161Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.704{8A88D375-D11B-611B-890B-00000000F101}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055160Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:15.609{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33A62B3CDC777437DCE8010D29F76C9,SHA256=6DDD4A3B82B3ADE1D95062423656EC9DEE1490CADEF764EA4871460D921695C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075522Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:15.233{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A7770227E6E1F3BD2B51472786A0D,SHA256=A87E9A5F744E596F93AD27198CB7D7B464E5B91EE42762195260488327078AC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055191Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.844{8A88D375-D11C-611B-8B0B-00000000F101}34882652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055190Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.703{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D11C-611B-8B0B-00000000F101}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055189Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055188Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055187Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055186Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055185Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.703{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D11C-611B-8B0B-00000000F101}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055184Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.703{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D11C-611B-8B0B-00000000F101}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055183Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.704{8A88D375-D11C-611B-8B0B-00000000F101}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055182Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.656{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F36852A9B09B94AF8442FF272CB8CD,SHA256=ABF622E6541AE054B10E772CBB0838DD3336149F0BA618671A79277FD42C05EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075523Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:16.278{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB875DA3352131DD88B81FC434D3CC53,SHA256=A6660DD215AA65AE0210C3E61C627ADD3EE299DEB4527E88650BA6CA586A6549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055181Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.469{8A88D375-D11C-611B-8A0B-00000000F101}8484564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055180Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:14.137{8A88D375-90A5-611B-3D00-00000000F101}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53090-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000055179Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:14.057{8A88D375-90A5-611B-3D00-00000000F101}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53089-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000055178Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:14.015{8A88D375-90A5-611B-3D00-00000000F101}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53088-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000055177Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:14.013{8A88D375-90A5-611B-3D00-00000000F101}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53087-false169.254.169.254instance-data.eu-central-1.compute.internal80http 10341000x800000000000000055176Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.203{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D11C-611B-8A0B-00000000F101}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055175Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.203{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055174Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.203{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055173Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.203{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055172Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.203{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055171Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.203{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D11C-611B-8A0B-00000000F101}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055170Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.203{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D11C-611B-8A0B-00000000F101}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055169Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:16.204{8A88D375-D11C-611B-8A0B-00000000F101}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055192Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:17.719{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA8292B92A0BC486E8CAA8E604FC7EF,SHA256=B7D4A5203AC84288B8221E9905AE0C3300BAD22EC88D95BA78EC2C6A9A2F3B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075526Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:17.814{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1100-00000000F001}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075525Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:17.297{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48C4FAE7BB3F3B7DC44E4A8D2BB2C93,SHA256=54A4B52C82033A8CF7975DD1C049619BE199F6CFBE2677E442F4D3D0FDCB8D1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075524Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:14.360{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56412-false10.0.1.12-8000- 23542300x800000000000000055194Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:18.734{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BECF844E15916C783B8D0D2F7ACE18,SHA256=01B07A74E3FE355FDC83AA4B5B97A62AD44DA8FECE95EDD287A03E3101B3ED77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075527Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:18.315{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285A913BF8FCF8F43C51D8A47AA44ACA,SHA256=3DB0BC3F8C8481BD042D504EE188A1D11BC913F6BC7908677ED9867E4671E320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055193Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:18.672{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055195Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:19.766{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FDB70A2B5D08C697FE51BD1C08FB35,SHA256=DE3631DB22410F08D29095C629DE4016A30560D0620E446FCE0F0B717612CCAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075536Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.497{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D11F-611B-7A0D-00000000F001}7560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075535Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.496{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075534Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.496{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075533Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.496{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075532Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.495{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075531Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.495{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D11F-611B-7A0D-00000000F001}7560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075530Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.495{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D11F-611B-7A0D-00000000F001}7560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075529Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.492{2F630BB9-D11F-611B-7A0D-00000000F001}7560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075528Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:19.329{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E9B7BE73587ACFED6809B295C6D868,SHA256=4B32718FD362E0735EE275F78F55568A43244741D89BB70578EE4E83C7753A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055198Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:20.797{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3E0B216EAB7AFBE556F0AAC78321A6,SHA256=2D9DB2E86323A3C096D16FBA640F55F54993C602A4C65C6BDE4CDB3D91FD7B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075554Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.828{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D120-611B-7C0D-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075553Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.828{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075552Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.828{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075551Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.828{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075550Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.828{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075549Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.828{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D120-611B-7C0D-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075548Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.828{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D120-611B-7C0D-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075547Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.830{2F630BB9-D120-611B-7C0D-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075546Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.361{2F630BB9-D120-611B-7B0D-00000000F001}76045996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075545Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.361{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18B0C21B05AFA4393819574CD58A68D,SHA256=C89C0C87651535F2B8FCDE56F414DFB90710D2AE46F791587C228D34C349DD5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055197Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:18.143{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000055196Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:17.627{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000075544Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.175{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D120-611B-7B0D-00000000F001}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075543Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.175{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075542Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.175{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075541Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.175{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075540Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.175{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075539Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.175{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D120-611B-7B0D-00000000F001}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075538Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.175{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D120-611B-7B0D-00000000F001}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075537Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.176{2F630BB9-D120-611B-7B0D-00000000F001}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055199Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:21.844{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5535762F61D616FBBE4C942F62CDC6A,SHA256=F38EA6DAC95B9D142A5D45B6A8BE411AA2A52292512C93B2763900E06E1A4317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075564Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.574{2F630BB9-D121-611B-7D0D-00000000F001}3845100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075563Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.428{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D121-611B-7D0D-00000000F001}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075562Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.428{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075561Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.428{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075560Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.428{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075559Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.428{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075558Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.428{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D121-611B-7D0D-00000000F001}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075557Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.428{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D121-611B-7D0D-00000000F001}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075556Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.429{2F630BB9-D121-611B-7D0D-00000000F001}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075555Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:21.375{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806DB3E9FF630D1FC05850EF0CCAD126,SHA256=61FC0527F3BD19BCCBC574D47A7440EFC8A04A96DDBAD019B48BEB98C2101BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055200Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:22.875{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69848926484D0BB126F88A5C840AA19B,SHA256=E9E29D27668E5502BF3A3438E2151C36EB8D014338EF4F7DDAB5207353A31BB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075582Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.796{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D122-611B-7F0D-00000000F001}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075581Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.793{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075580Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.793{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075579Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.793{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075578Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.793{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075577Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.793{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D122-611B-7F0D-00000000F001}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075576Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.792{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D122-611B-7F0D-00000000F001}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075575Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.791{2F630BB9-D122-611B-7F0D-00000000F001}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075574Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.395{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6E69A210183517634E45361B5E51AB,SHA256=ED119EF8DD5035E3803B79B2C149B68C492DD9EC941FF636DBD9C5F401F16746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075573Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.295{2F630BB9-D122-611B-7E0D-00000000F001}19965960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075572Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.111{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D122-611B-7E0D-00000000F001}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075571Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.111{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075570Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.111{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075569Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.111{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075568Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.111{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075567Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.111{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D122-611B-7E0D-00000000F001}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075566Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.111{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D122-611B-7E0D-00000000F001}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075565Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:22.112{2F630BB9-D122-611B-7E0D-00000000F001}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055201Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:23.890{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B0297677891FBFC7A52C98CEDDCCC7,SHA256=BEECDF5B3F9EB34C78B5A4F6070DB2E17A5AB0D44BF0B7237B6D6F2B4E403ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075616Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.643{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B7471B76D5A98E161EBB349ECDEB4B,SHA256=F0929D93C06420849A67A58A77FA757A4B07AFF02E77F9FD0EA818FBEBCA5ABC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075615Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075614Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075613Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075612Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075611Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075610Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075609Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075608Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075607Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075606Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075605Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075604Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075603Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075602Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075601Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075600Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075599Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075598Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075597Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075596Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075595Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075594Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075593Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075592Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075591Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075590Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075589Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075588Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075587Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075586Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075585Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.328{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000075584Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:20.271{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56413-false10.0.1.12-8000- 10341000x800000000000000075583Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.044{2F630BB9-D122-611B-7F0D-00000000F001}79605360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055202Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:24.906{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B907E1CA0D2490A1C3EABD23C3957312,SHA256=5665A279717C633E426E68C62044681A6EE0C5E13E9B55DCF370BC95F9475BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075617Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:24.658{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45DF0420FAAE280E2378A912883A08D,SHA256=EF5893B0D8F11AACC5799ACB37C652B1F05831AC4E594E5B61FCC70F0AC473E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055204Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:25.922{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96203C26AB1D59C2BED6FDE9338808E,SHA256=9D3BBE26740EB763C8927C9DFEB4C63C1CA33658C3F1F837359118D8D9BCE05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075626Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.692{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9A195147EEA95579DE83ECD2B1DF8,SHA256=C604EDE3DC045DF40518F3D26A3763F1A0C80095477CBB09E5563376BAC40212,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055203Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:23.659{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000075625Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.093{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D125-611B-800D-00000000F001}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075624Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.091{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075623Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.091{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075622Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.091{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075621Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.091{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075620Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.091{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D125-611B-800D-00000000F001}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075619Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.090{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D125-611B-800D-00000000F001}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075618Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:25.089{2F630BB9-D125-611B-800D-00000000F001}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055205Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:26.953{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5520831F23D30F3A7213DFB56ABF8903,SHA256=EB66D537E02E466E90CFB90ED7F920A61C046FCC76D34E4EDBF471A6FF02C628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075629Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:26.724{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D054785C754C6648DD961DECD824E37,SHA256=8CCE2149F149E7E5CCC94D50EAE09C3781779D0532AB7B1A9F090E8F24DBF16D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075628Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.916{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56414-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000075627Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:23.916{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56414-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000055206Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:27.984{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047B1AA95FFE72C7AE7AA1BA9E6000EF,SHA256=60BBC1DF896E42FE811435648EF6EDB9B7BEADA2C173342F147FA6049C5AA776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075630Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:27.739{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDEF84121D3B00802F0485962938D63,SHA256=34EC3BBA1EFAA2AEA34EE048F8A158B691531FEE9B678FA55391082DB548EA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075632Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:28.754{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34D381E1B8CD5F34EED79FB0EF12D6D,SHA256=BA631FBC79CA48B6A2078F2C126D0D3D2E25F7DBD0165A4D5947FE6A5985124C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075631Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:26.282{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56415-false10.0.1.12-8000- 23542300x800000000000000075633Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:29.786{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1717A4FAB7241DC5C50D62D34AB75CD,SHA256=D2AB736445DB03979BBCA830F1B34202B2E84220504006A4AEDD25A8A0BAB00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055207Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:29.000{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E706B1645FBC3F323759B3868F415C,SHA256=8AE59B4791019C20B9BBE292831CE9F2BB6007A9114D53278594E3EF46EA9518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075634Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:30.820{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB37B272B13198B732DEB60C88C55BD7,SHA256=4ECAD795718387F7C2D92498591EAFC1FC381E05BA402E6B7E6D7B92AC7BD85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055208Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:30.000{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0E97F382D78005DF5F6381287C980D,SHA256=84A433F1CFAA22AC4F737157CE961ABA77415742ACD0F04E305581924AA6C9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075635Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:31.834{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A1C45C82B3972CE28F99E1237F390,SHA256=B283809C3239830E09532D2A74E9A70432044B721D78ACA8D107F0FA2D7B85D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055209Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:31.015{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD793223199077C861BB66CD54F88F0,SHA256=298E48CB11349DBC4E770DD6C2FD0D9408D6AD87A8E0C5E7E8B2389C1753A427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075636Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:32.864{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5776F73F7B26EF5DE4D8B1367B860DA3,SHA256=C87A7B566C502382B32096749F067E6F6652774BB2DD5D5CBC0F8CAD06C17EAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055211Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:29.533{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055210Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:32.031{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1FCC7D87AFADF9F8BE972EE6A29AF1,SHA256=9FB0B54A64641F13C2705F27E96B511DDC35DB487953E985786925B0A605D412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075637Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:33.881{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36ABCBD5FF1B7AE0ABA4EE697BB56C6,SHA256=EC04A2C7E05F86EFC7C7415F9A31817984FAF6CB5084A4B78675138F38F84D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055212Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:33.047{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8819B79B4D3704F34E485FE0ACD3456C,SHA256=C67C2671CF47B194E83F026E7208D5F71FE67367EAC0578E9E5FA7F9C998FC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075639Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:34.899{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BBA3D2BDAB4D98C8921FDD3E5DA317,SHA256=FE5081A7EF050663E9A7D62B9AAA51064FDF1EC14BD670BDF8559ACF4709E845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055213Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:34.055{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5D36199794E1CA238AA8D05A5EEE4A,SHA256=7D3D6B5C639F286D5DD29A3764BC2E4DDA0AFA7A80E94608AE88F82F9576E5EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075638Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:32.259{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56416-false10.0.1.12-8000- 23542300x800000000000000075640Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:35.913{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1EF4FEE7804142BD71A25AAB5D6F36,SHA256=842D6009CAD45283D71177C5038A6ECEF672D5C973DE7A582129856AF9D53311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055214Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:35.070{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9066855FFC7FC71DA145B3A4C2D60A16,SHA256=CECD38197569DA926C21B3CBEE3E4D2C6056353412264EEAD70A4D57F65F804F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075641Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:36.928{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689A26623BE54299070417330E4CC06F,SHA256=C67A5D3DCD5DD06BE9B99CC558CB3D96D894C6C02410039412272D315B398DCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055216Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:34.573{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055215Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:36.086{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265DF097C8D3814D7F4B1F2C1BDE39C6,SHA256=FB32701E203C2204DD247F75E96CEB148894FE403C54DD0668C6194AB3613E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075642Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:37.943{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E98DC27B7EC9C3E9D8899F582892AD7,SHA256=61B2AF956C94D5CC93E359F69F31F0C056E2433116B5D019E260307763A3F4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055217Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:37.086{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A912E88FA52C7DB39336ACBA4E20FEA5,SHA256=42DEE857CEAE3EF967D7902DE34595783A0AC16825A429139A09E5C83EE58B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075643Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:38.957{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1A63C00E14BB40DE9EC4F50EDC1890,SHA256=6EF606CD3F0BEBA9B1D6C7C30E9F34D946DB07006A63E55771CE064F84C91157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055218Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:38.102{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D78DA468AC840F1C688FD388A2BC5B5,SHA256=F7A52EDDFD5D04B798A35F4178F6295556502108F444CD5D2ACE708ECE2DBFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075644Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:39.973{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06FF006B3B4014C50C10F3056FF21DE,SHA256=545C67327B18EDE4BF87C5AF6D72C3EAD774635B4490FCEE101D692869C97D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055219Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:39.117{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA18375F513621D90D11F5200A6236A0,SHA256=E192A8C2555E0DCEC6366527E3BBBA067AE6F2C461886DFEA94D3B2DBA032078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075645Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:40.992{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE70A9C6ACB2BCA60867B0DF680A38EF,SHA256=BFAD24B2DBA5BF410B733A5483B40615B6C5D0D5F267CEBA7F5D93E5108A4580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055220Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:40.133{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EC8CD88369B28B5E60635B733ABE95,SHA256=C47F0BA1AC7A25BD0C4E940778BD3090AE76E9DC8F575B216F31D46AC7953EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075647Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:41.994{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43209C9A3D167D0B9C3B372B0E8779D,SHA256=108E5005C8563D7D40984F9FEC0C0B85C6141E191AD0AEC9CD0F6E70AA1CC158,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075646Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:38.283{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56417-false10.0.1.12-8000- 354300x800000000000000055222Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:39.620{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055221Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:41.149{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C0A764467D85A1B37B65020E6517C8,SHA256=AF16CE2AF3DDF63E887E63AA3B74D0F987B0115B42A7F287827D8763C23EB224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055223Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:42.164{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22ED337CB76F3CDA2D1AC32A4CD8E2C,SHA256=54AD094C537AC271F952CFE539EA3AA6C524660460C40BB5E44028E67497B768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055224Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:43.166{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4BDB7693A02F25287B9443CC4A7BBD,SHA256=0F78E1FE2CD0511B666AC139D71253E7F80317267AF827A56F53F82A2E47030A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075648Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:43.009{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB4137D9C5B4CF83A350D79384A3E54,SHA256=57C8E25B6D991FD1126D1AF5CD29FC6A86B9654C7081352B37EC855698F3DB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055225Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:44.180{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5174859018C660441E65F24D191B1E5E,SHA256=7D3AF0D13BF5C86151CA0841297C1AB8FAE5DDC624B7D6F61B05092C8FAD0AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075649Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:44.010{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621312B685A8012FFCCE1C4B8D5B88C3,SHA256=69BD193F398DC96D6CDE9510D2AE86D09367F5196F30FA2D0D8ACB66995FFBDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075651Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:43.299{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56418-false10.0.1.12-8000- 23542300x800000000000000075650Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:45.024{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5108F09DCB05DE7B11D302A6F63EBDA8,SHA256=B6C655A4D5A1ADE1757C1E1EEA94E2DFB938CBB349E77A4D6EBC44F96BC3046F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055226Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:45.195{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B27163A22FA522793FB5B8E8357508,SHA256=030964D2FDE25A8243E819FB841676AE4BDD5DC68F64B14C5C6E0D3EEDCE3885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075652Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:46.039{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D258B9706A39BAD2419AF08352089A8,SHA256=FB6724EE53C4928AD9FE9BA89603643F60ABD316C04F7CD1B4D88D8CE53AB90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055227Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:46.211{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3054B18620867BFCE51CE0F7C60595B,SHA256=61F396A654C0FE69AA3E749A23AFF12DC023EBE54A18F850ABDDE6B45C3AD8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055229Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:45.635{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055228Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:47.227{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC6F9296A210D10FFE842B769E36D12,SHA256=3288F8A782E17E011838A733BBC76900E52B82914613830DFF8D6D0E846C2DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075653Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:47.040{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FCBB0282E11C3479D4C3FA0A6CE675,SHA256=328293F78C450B823EFAD5BAB40DE69B40104D8469222F1C48DC9C98C306B2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055230Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:48.242{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585999D5CA297A66FE2A6BEF9A7B7346,SHA256=779E7D438AA74B620DA88898AAF9077DF680E3630D03F34E999487CC866E8BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075654Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:48.054{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9B0DE27B157654D669CF994A9ADC30,SHA256=E695089BAC404A142563977B875B74478579A511845D2C69BA68FA420FBFD22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055231Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:49.258{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420FAEEC7C760AB8269F66A8FAD64432,SHA256=D650425731E22C93D10AA9E3C94BD80D3F6D7CA4AC7900AE9714C18315D061D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075656Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:49.071{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A255E26FD0C7D2C688DB3C7A3A9E1682,SHA256=86D8C4BA4A374AB5CC7E51DC8D985C1BA3F6DEAEDB50A9A7AEC21446A1E42E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075655Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:49.054{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055232Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:50.273{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833501E5A22FA465A7AE48379EEA2655,SHA256=9A706A5DEFDB429651C1ABCC26A32FAF476AAB81CF501AE46ABE3E7B8FC603B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075658Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:48.180{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56419-false10.0.1.12-8089- 23542300x800000000000000075657Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:50.075{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D16CB190BB16029C9624DAE6FDAC080,SHA256=9E029EDD7F8E28D2021DB12A168C0DB88D25A682999BA5C08871305CC6BE66CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055233Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:51.289{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2823938AC546B656E080C0CADAEEAEFE,SHA256=2AEF2202B23C49C2A5AEA6CB90D832A38E903633CDE168EBEC46F6EEA70191A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075660Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:48.333{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56420-false10.0.1.12-8000- 23542300x800000000000000075659Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:51.090{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E074A914600BAA08FAE9074233C37ACA,SHA256=12FC0E0945760E4C8A65BA300DBE5A1EE101A4860318D0E64611684EB90FC660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055234Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:52.307{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836BF29BF04CBEF9E0DE3A5866FB31C8,SHA256=183A903B550300B3F0151AF546BB36B07D230D26CDEFF80AD2526361E6DB390D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075661Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:52.104{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FB6AC0223615C7250CDEB065F27636,SHA256=AEEFC241862067A2E06A2C229D056925C134225051B0E5E7E040C0EC98CE4696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055236Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:53.320{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3FC4F5EDA1D37F0EE967383E521711,SHA256=CBCE7B907CA7F6B969E2CAA576FDC71C23F1013B76D98A3BF4459C4F81BFB999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075662Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:53.119{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6777C1C6F788511C10275C13AC6DFB0,SHA256=085A932EDA4598BC1C203CF066FF8167C81891CE641DC14EC77C68443BBE7461,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055235Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:50.651{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055237Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:54.322{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=506CE668339A761C59972417C191262A,SHA256=D3EEAF4E7B723BB06D3104D3E4FD64998E9238203693D74A9741141458F71075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075663Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:54.134{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B0E9A368A257FD4304AED58ADE1B88,SHA256=3EF6FAE21CD3800EAC8C157BE98780864AE2DB113CDA8C03CB7E1FA943D1856D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055238Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:55.338{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CD570F61B1E4CC07F8BCCA4AB4B9E4,SHA256=AA47F97137A9A38B8F04B3E4264835FC06B3B98D698AC069A57A93BEAEF5AEAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075664Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:55.149{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103C87E842D435FE240CE95B3FE95289,SHA256=4E82937B94903086199FF02055D4864A11FE19254A2293FF0FD159B8C8F430B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055239Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:56.353{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC3C463FF893742B569BDC715447217,SHA256=4EC5A4B2C22646731E6693E87695AC1965E079CCB2F179A546F17EF1DDB44A9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075666Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:54.344{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56421-false10.0.1.12-8000- 23542300x800000000000000075665Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:56.165{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59626563CDA89999E1AF8D63157DA413,SHA256=454FAD1A7D8C7D9AF1E3F85D4F9301AA7307D6F021C8667F937907FA7BF3C61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055240Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:57.369{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E92B6E9D9F206F20128F802CFFFE089,SHA256=661B3AC60EE1B9B1952704A0EB9EB35CB1C2992BCD5C13411CDAEFAB91185D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075667Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:57.184{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1013CE12A06B7CD549BEA32FEA099050,SHA256=079B7E849539F8213FE0A70C02FD7FB122D166711E0AA572F1DFABF5B075164C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055241Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:58.385{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0451C3BAB6435E3A8E9A95F32B59C6C,SHA256=C1F0F0E516797EE9E6B9A27C16C30D8C330D34ABF2F03958BFA9AFFC3C797D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075669Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:58.661{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1336109473C279AA492CE118E4459803,SHA256=C2D2BE211EBFBB5D91774EEF06F5A9348E52F48D9625E7DE26EEE2C41329A62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075668Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:58.198{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4E5B6330667A7DC971AF37E25774C4,SHA256=8135424A6E3E04A5132E3ED835DD35E7CC3C6A305453CECA5431429911B787C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055243Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:56.605{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055242Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:09:59.385{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDA6D0EE88B41693099779C241EB2E2,SHA256=1D76D55CAE3230251CB37CDDC11DDBD1B0FA75E67F4218585EE2A35629C6BF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075670Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:09:59.213{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B304609853AC2F927B27FC179BDF8498,SHA256=3DE1C84D7B46BEF0B3C7F61F2CFD50A768242379C29EC8818322B7BDB261F1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055244Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:00.400{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DCC05C6D94A32FE7106788F609FCD7,SHA256=DEE04536981278F58BEA5CEFF1DE8531782406938B17115A6503E899A18F0A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075671Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:00.229{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CAFB04188BF8AA369ABB0375B05E2A,SHA256=141D3F83FD41059091783B7B885379A5A94F9FA4A220A45776B9D2257DA8915D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055245Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:01.416{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B183C5C79ACEBB628398256A96A0F268,SHA256=0EDBC5B2288E552CAD25CE2C0E89AA7BF9ECCF31A17E87BE33064A9A7C481384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075672Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:01.243{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993C8A75C9978B30856209271D83D8BA,SHA256=49154D5CD873AB5085F943786BE4023BD5D03AABB7E307B2E16587E802E6303F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055246Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:02.431{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C59D0640B7B4E792F23A5683989000,SHA256=56A7021BCCC13B7C01E165026F038DD73B35690D970260D787BDD98CBDD6DF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075673Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:02.261{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC70E0218B019D8E4C12139CBCCC7BE1,SHA256=4B55C10DE3AF5E808DFF5C3319A6686219548911E13EC4023C5465B6B734F7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055247Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:03.447{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD770E44D0315041EF753DCCFF1ED04,SHA256=0CC0314A459EF58B61D473EB2C71BD3BBF515A8EBF1F419230F4DC3A15F5A0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075675Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:03.279{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CC4386B2FA1BF54D18DC12DC6A20CA,SHA256=2BB270448B97623FDEED66F8057A6024D96CF8CA2BC1EB96FAC7EB04FB7FAE3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075674Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:00.386{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56422-false10.0.1.12-8000- 23542300x800000000000000055250Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:04.448{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7A35048EFBB33F019E7E346BC5A905,SHA256=26ECD28D12F81F450F5322FB4F91E8F1C145DE5168F460FF5CBC57BF4698A54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075676Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:04.294{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0DD71F9870EECE6AE08E56C78817DE,SHA256=7D6903EBBF3642F89A85D7D93F02B78892B776508BAA7F9A17FB52BDB8C9AEF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055249Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:02.543{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055248Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:04.356{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-268MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055252Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:05.462{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25902767752057A5C3B29872FC5CAE97,SHA256=C2EAD7B5F9865BF347EB04FD8806ADF453AD75A6706E5847D62B7EDCE29E546A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075677Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:05.308{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ABBE39DE06E6263E2088CDA386D36D,SHA256=E87EE15DD6BDC888CC4FB2DDA6658157ECCA60037D4872467C6F87047886052D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055251Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:05.355{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-269MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055253Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:06.465{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221D786051B3AA2FA876F430D22CA604,SHA256=B6B796A00466DA3516D613F9BE1DF0CAFED737AF59F64DBD6A5B95DE028632BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075678Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:06.338{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C2B7F3984A90B60FCFCC3F9BD4BFDA,SHA256=D02DFD5F92EB5E8C6FF4E198F872C7CBAD7E9D0B7822DB62E7BD693766619B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055254Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:07.481{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD152639FB2227A3B506DE895CBF7A59,SHA256=607EFEC5746EB482EC8EF0D18FC5F65B742E5BDC143C8ABB8292A5060ADA2F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075679Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:07.355{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C886E56D478381270B281389318B178E,SHA256=BA50A6660FE113E3408414289BC7FC3C5F92316B864E6B00903BF9BB56E96C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055255Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:08.497{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0162E408DF719457F521ACBB632E9D,SHA256=B75766ADEEC46DC17615A40F250F6D9C628DC0595BB705C9AE91B6B1C3A531DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075680Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:08.374{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496788F6A62ECD384A5940F56610F3B0,SHA256=95DFFDE4EA32BB19AB83EED3BD8BBBC84CE814031535F16764ED23DAC9D33903,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055257Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:07.749{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055256Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:09.512{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DE0D08FD0AF9832CDC850F1349EA06,SHA256=4768BC39DDDEFFA0BE508BF04F6799FAE0C5A9887750727893DAA509E3C6943B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075682Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:09.389{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B6B49761AF604D0520DCCD9E3E0F8E,SHA256=22C286042378EA5BD32A729BF5CBAA0EEEE69A770D03B6D80882E099852A8C35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075681Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:06.395{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56423-false10.0.1.12-8000- 23542300x800000000000000075683Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:10.419{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B0D78EDA5ECA63D0909DB576B5B047,SHA256=B3D3EC434292168E6B677C9CAB59FE14BC77B807C049813AC7AB7A9504DD538F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055258Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:10.528{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0561CCE8F9E18FF49A3705498FBFE4DB,SHA256=A77031DBC4870F2E374E7E1B7FA4069856A92E95007C2BC7A2CDAAF64E7C96C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055267Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.965{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D153-611B-8C0B-00000000F101}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055266Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.965{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055265Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.965{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055264Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.965{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055263Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.965{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055262Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.965{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D153-611B-8C0B-00000000F101}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055261Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.965{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D153-611B-8C0B-00000000F101}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055260Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.966{8A88D375-D153-611B-8C0B-00000000F101}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055259Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:11.544{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795EC455B2AED25DB0B9652413BC7E2D,SHA256=3738BC5D2CD6F11530A273AE626B7CCE5AE407238E558C063ED38562BB3F222C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075684Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:11.452{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216901ACCE214ACEE1412A4337653CCF,SHA256=9AF37737215C429D6A7C4D175D38E2C8F36FF880CA2F2652FF9F2F8D6AA87C49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055277Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.840{8A88D375-D154-611B-8D0B-00000000F101}46565556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055276Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.653{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D154-611B-8D0B-00000000F101}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055275Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.653{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055274Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.653{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055273Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.653{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055272Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.653{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055271Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.653{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D154-611B-8D0B-00000000F101}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055270Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.653{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D154-611B-8D0B-00000000F101}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055269Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.654{8A88D375-D154-611B-8D0B-00000000F101}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055268Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:12.559{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8BD6CF780414754500ACE4D38BFFA0,SHA256=B877AB89C3527774BD55298E3262489B82FF3A41B4449522CECB7D3C56775658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075685Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:12.486{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D68C38C7019BEB74B03F98B92F138CB,SHA256=CBB46410A691AA28038C243BC3531F5BF48AE16AFCAE85639DAD607608CB8BF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055295Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.827{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D155-611B-8F0B-00000000F101}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055294Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.827{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055293Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.827{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055292Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.827{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055291Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.827{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055290Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.827{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D155-611B-8F0B-00000000F101}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055289Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.827{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D155-611B-8F0B-00000000F101}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055288Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.828{8A88D375-D155-611B-8F0B-00000000F101}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055287Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.559{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127ABF2CA3AD0EC1B4AA20862E94225B,SHA256=20B62A448294355B18DD2910EA26D1B58BDFAEE1EEA7503024C30BA3D01738DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075686Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:13.516{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A0C3A5F9DB3104E0EF9309FC814D15,SHA256=BAE06DF421493A5A153A1A82B323E95DEF5D6D94AC68420123B2B9AF051F078D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055286Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.481{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7C4AF22F5034525AA32DC4D30A6011DB,SHA256=A69DEA9E6FD0EA3D67EBF83E49B8CFC580BDCF2E84FCDA36F8226DB05EDA2136,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055285Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.325{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D155-611B-8E0B-00000000F101}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055284Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.325{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055283Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.325{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055282Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.325{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055281Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.325{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055280Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.325{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D155-611B-8E0B-00000000F101}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055279Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.325{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D155-611B-8E0B-00000000F101}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055278Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.326{8A88D375-D155-611B-8E0B-00000000F101}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075689Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:14.770{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-276MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075688Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:14.531{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697BD4B85B05DF1917677DE479A897B0,SHA256=730165537757AB4E34F3AC3851C6FE1E88F9BB3E35540016CF3E28190F74646A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055297Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:14.561{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568C48F6F1F9BC3BB3CDA2B09B6228FC,SHA256=8799C17E782F68987ACCA9058D58A698B0D1542123F1AAA3372A978620E3CCE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055296Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:14.186{8A88D375-D155-611B-8F0B-00000000F101}53802552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000075687Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:12.243{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56424-false10.0.1.12-8000- 23542300x800000000000000075691Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:15.783{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-277MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075690Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:15.548{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF9BEF6AB57C57B69D685EDBD00E742,SHA256=CF037BECB3059B8446D9018F7C36E372CC47F0EBF5B25198CDEE3A0D945B1ECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055308Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.889{8A88D375-D157-611B-900B-00000000F101}35486072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055307Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.686{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D157-611B-900B-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055306Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.686{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055305Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.686{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055304Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.686{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055303Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.686{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055302Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.686{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D157-611B-900B-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055301Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.686{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D157-611B-900B-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055300Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.687{8A88D375-D157-611B-900B-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055299Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:13.517{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055298Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:15.577{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AF28332E73822CCE4C0A27349EE5F9,SHA256=AA1E51F404BD7BEA0D9F711764BB460C69CA2E09A12CE387A68C84A8C2C282C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055318Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.593{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C43C87DC20773D09E6CF80F8E3FD00A,SHA256=41488E17B13C10A3AED7AEB83897B7C26E9AE64A211F2D81FB7ACE6FAB102A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075692Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:16.567{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF4CC476D2B6631B713FEAE6C28D15F,SHA256=2B2C2532703AAFBE14077F5A0CFDA820010955E7CE9F5D0BDBF6A6C4B35E31CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055317Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.561{8A88D375-D158-611B-910B-00000000F101}57085832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055316Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.358{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D158-611B-910B-00000000F101}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055315Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.358{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055314Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.358{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055313Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.358{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055312Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.358{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055311Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.358{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D158-611B-910B-00000000F101}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055310Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.358{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D158-611B-910B-00000000F101}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055309Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:16.359{8A88D375-D158-611B-910B-00000000F101}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055327Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.608{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D400600E87289D9B5B9270A2426F5BD,SHA256=C7677BC140F483DD04F8F80BFB4D8063D41F0107B45C29ADCB2B757CF30E56F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075693Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:17.596{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E6C3D7F8FFA2382941D6DE6212083E,SHA256=BEC486866CE945E72185F9C5504DF85CF42A75714E5862EF11F7DDD22095F2C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055326Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.030{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D159-611B-920B-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055325Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.030{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055324Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.030{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055323Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.030{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055322Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.030{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055321Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.030{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D159-611B-920B-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055320Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.030{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D159-611B-920B-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055319Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:17.031{8A88D375-D159-611B-920B-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075694Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:18.626{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E831ADE8151BF6C1EA6612D8C264A6B6,SHA256=100100511FCA1989E58E91D8B204940C345E336D6BC9B7DF6EE52A75DE393E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055329Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:18.686{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055328Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:18.624{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30E8AEB187BEB9799BCE5BFB2D3D0BE,SHA256=A864E8AC4B83386AB347903BA982EE7F8AEDE257984F97D5AB7D44715FDAE321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075704Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.647{2F630BB9-D15B-611B-810D-00000000F001}53724788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075703Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.645{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4E99ED481FA4A1001BCFD53ED48B90,SHA256=1E1A5FC2EE0AD103A43EA76F24EB4D622BDB99BBA27655DDF0B46D293B7CD384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055330Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:19.639{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEB1ADE05E8F3DABDE0EE97AD6E6709,SHA256=2B410E795A4992CAC915283495E1F12B23AB45092785BFC2E12C852B2BD27627,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075702Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.494{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D15B-611B-810D-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075701Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.494{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075700Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.494{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075699Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.494{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075698Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.494{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D15B-611B-810D-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075697Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.494{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075696Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.494{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D15B-611B-810D-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075695Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:19.495{2F630BB9-D15B-611B-810D-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075722Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.861{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D15C-611B-830D-00000000F001}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075721Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.861{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075720Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.861{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075719Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.861{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075718Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.861{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075717Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.861{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D15C-611B-830D-00000000F001}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075716Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.861{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D15C-611B-830D-00000000F001}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075715Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.861{2F630BB9-D15C-611B-830D-00000000F001}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075714Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.661{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51621C0937B93E0A6770001ED5B8B489,SHA256=B85739A20CC7786B84B582D918F32E7E014594C5BCC7372C5D500E8B14037C27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075713Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:18.268{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56425-false10.0.1.12-8000- 354300x800000000000000055332Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:18.173{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000055331Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:20.655{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7FD43CAD74E8CB6545FC3DBE93D5E2,SHA256=07C056EA1AC1F19B0B59940ECA9A43ACB5907E0EB95EBD018D1D4FDC5E0C0829,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075712Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.177{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D15C-611B-820D-00000000F001}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075711Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.177{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075710Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.177{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075709Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.177{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075708Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.177{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075707Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.177{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D15C-611B-820D-00000000F001}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075706Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.177{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D15C-611B-820D-00000000F001}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075705Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:20.178{2F630BB9-D15C-611B-820D-00000000F001}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055334Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:19.548{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055333Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:21.671{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE85205D5621EFA6046B71B887F18BFD,SHA256=10945F21AC04A0C74E6CAC6DB50419A06F814E263CC61C7EDD4EB272E148B6F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075732Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.707{2F630BB9-D15D-611B-840D-00000000F001}57966040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075731Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.691{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0306F209DE0F66D4C34F4291729694C8,SHA256=65D065788294017BA1DC20873DF8F3CE3FFB1440CA76EE84000ABA5ADD557CE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075730Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.544{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D15D-611B-840D-00000000F001}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075729Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.542{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075728Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.542{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075727Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.541{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075726Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.541{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075725Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.541{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D15D-611B-840D-00000000F001}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075724Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.541{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D15D-611B-840D-00000000F001}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075723Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:21.540{2F630BB9-D15D-611B-840D-00000000F001}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055335Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:22.686{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FE0DCC253F6E8D06C692769DDFAC94,SHA256=B567426F9282DBF50A824873028C6A386904233B397FCC70D128747F72C94B8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075751Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.875{2F630BB9-D15E-611B-860D-00000000F001}54885976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075750Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.722{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F8C34B5895C5CDD920D7340DD5F6B8,SHA256=038DCD4D9D4B1CDBBB270B065A9AC63CEBC18CC63710320B81585AAD307AFF79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075749Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.722{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D15E-611B-860D-00000000F001}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075748Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.722{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075747Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.722{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075746Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.722{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075745Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.722{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075744Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.722{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D15E-611B-860D-00000000F001}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075743Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.722{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D15E-611B-860D-00000000F001}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075742Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.723{2F630BB9-D15E-611B-860D-00000000F001}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075741Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.175{2F630BB9-D15E-611B-850D-00000000F001}59165016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075740Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.044{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D15E-611B-850D-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075739Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.043{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075738Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.042{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075737Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.042{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075736Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.042{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075735Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.042{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D15E-611B-850D-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075734Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.042{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D15E-611B-850D-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075733Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:22.040{2F630BB9-D15E-611B-850D-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055336Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:23.702{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5302D0A92408CA117804BE9E5F3792DB,SHA256=615746C44ECCD0A07494DD11F57E006D00F9CB7BE230D7FD33EB0B26309D98AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075752Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:23.742{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F832EFB7B348981CEE60DEACA6AB00,SHA256=84D9834D1AA7CF65C6B39347BF8DC74C5680AE8539F4E0CE9A7F00449BD69970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055337Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:24.717{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD31A11E224536A390271655F3BDE96,SHA256=E0F52921257AF8A7DD583689281AB68CD2E4D3E63BFAE9C6D53A52FE28F7D4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075753Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:24.758{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D491B8B5B704EFA450D123C13C5AB7AF,SHA256=CEF94C4F988636B1870C3DF92490C78C3EC43AEF9B1105514BEFE43F34D474D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055338Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:25.733{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11551218C76624270F9A80E2321E862,SHA256=327D42ECB553E51D884FBCF4B06017B382EFFC4EFFA3C4AE7DDF19E5DD5DF9E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075763Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:23.363{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56426-false10.0.1.12-8000- 23542300x800000000000000075762Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.788{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8CC59D15AD0C2DD7CE1D9B36A908FC,SHA256=3C692BCE8C2A00478AE4E04F4B20A99391291E11E30339142372AB8D195EBEF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075761Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.104{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D161-611B-870D-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075760Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.104{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075759Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.104{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075758Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.104{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075757Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.104{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075756Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.104{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D161-611B-870D-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075755Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.104{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D161-611B-870D-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075754Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:25.105{2F630BB9-D161-611B-870D-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000075766Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:23.931{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56427-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000075765Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:23.931{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56427-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000075764Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:26.803{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD119E28490575BB0F984BC8BCA4EC35,SHA256=6CFAC9359D0C459D87391F745CA348CE7CE83640ED23FC1D3801FAA0D44C3C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055339Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:26.749{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E30FB92BAE254E2ABDED334AD86BD1D,SHA256=73DA8FF8F9056FC63CD43E261FD0F566CC652353BACD0CE2E9D8E13C06733643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075767Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:27.807{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889CA0877182DACD1EB7F734CB54BE33,SHA256=A99DCC375F42E834F7909296F8DF40932C35FE8B0907E807D1CB9815B1B16C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055340Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:27.764{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E091ACE46F1D1207F1846050AE9DA604,SHA256=7802CB23E1425D35B3F4EC01D83F864F4EDE76899386F9AF87CC767F2DE220B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055342Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:28.780{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401EC96237D231B97DBF6F84FEAA5ADB,SHA256=18EBE0D10ECB741298AE0640649B593B6478DB739734A89614C396306223EBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075768Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:28.821{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4A25DDBBE9FF6113975C8BE1C79C1F,SHA256=F42B05A4A4143677CFC4205CDD11703E24A6130230AC0B61C6466E233FFFA968,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055341Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:25.579{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055343Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:29.796{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151AE31C12F7E684E6E3F95ED7703434,SHA256=7FD69DCE86723BABE516DF3DCA7CE417A832C4DC4F3E5C028ABB55BBAF21F001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075769Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:29.851{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F00E9A96CA6589BCFB366122B3FB3A,SHA256=1792028FDCC59D174A8A1F7FF35A09AA46744BEA94B13532492F6C009D21F39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075770Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:30.875{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7088557D492D74826653C57E0D7103C1,SHA256=B2A2C91210F1D53FE5C7EA1EC18EFEC5D4F888AAEF9417D9AE2236925F0A8877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055344Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:30.811{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC9845DD04987BC9D1D6DD3DCB359B0,SHA256=923752837BB68F120E2DA44294138F24D9A8F9B7A157EE969D3B6FFA8C8DD4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075772Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:31.901{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23FD28918719F19ECF892DCF2F1DB60,SHA256=2DA979578AABA815A3DEFC61842511B3517FA27CBD4139389BB911F38A472041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055345Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:31.827{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9F94DE7F9007DFEF8740EE1AFF7A2F,SHA256=77978205C461954187B235BBD4E578BC297DD6EA4B9D592EBB97F3A8456B0F50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075771Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:29.212{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56428-false10.0.1.12-8000- 23542300x800000000000000075773Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:32.917{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA28DC81A1E45A092F59F909F9388849,SHA256=51C40F967AFE87FBD35655F787C02299E43789C1CB5278F581C543E0C0AE590F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055346Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:32.842{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A741FD604CF5CECBCD7234ECBE714AF7,SHA256=AE9AE4684E472F109C8E9AD8CC3D1EE59316C6D32642041FA0EF8FC38AF2703A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055348Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:33.855{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA50D6221461BA88CE6FB6407B213C04,SHA256=516380CE93CDC6EEE4A7D5C82FF76F7794F988C0009A044149D38D8F22D1E5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075774Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:33.931{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649DCEC7727A53B87AE9610B6EA6CCDA,SHA256=9B17E686216A85023A19352B3C81DC74814E45E8F13DD4E05547FEBA57C868D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055347Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:30.751{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000075775Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:34.950{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DB34E5706BA21B50B5061448F2F212,SHA256=63603D0C1D76C699DF45E09026CDD81472F466229BE61D9E8BC96E747050A50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055349Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:34.871{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E9E5CA4E4887B8AA483D797E5A5162,SHA256=B5C25C6D16793177E9134B9E9EF72C86CDC2667BB2D7EB2409D659C8A912F505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075776Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:35.966{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64053814E4F0A8622918425061764273,SHA256=01D82BB3522C30D8D63B2D8742E603C72FECACDD53D12369E39700EA8028A917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055350Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:35.887{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A0BC6594F270C9D08B53F7D874E537,SHA256=7FCD55A8FC9B14D405663F65AAA7F8C7DC0CDBD4BDD8AFE008CEA3FC261F1606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075778Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:36.996{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729160BD616BEC11F2D1CCA99CBAFC21,SHA256=8A051DF0DB39609651E5884C8891D21093EAAC15643E532DEB1AA5C99AAEA5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055351Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:36.902{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B7B780AFC759CCE851CBCDC826E069,SHA256=A17055701B1F8967922E272C646346C5329B5CC7F45D5D9845D350467D94BA91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075777Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:34.272{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56429-false10.0.1.12-8000- 23542300x800000000000000055352Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:37.918{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5438E8F1D60497636A399B9E3712685,SHA256=48115699CF59E8CD7C07A51BCEAE748EA97B1257019BB59BB94D88F4010BE6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055353Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:38.933{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564661AD9493945F89ED92B111C96953,SHA256=CAB9D0C8E7A387B36EF36182B75457E615F914E395A7D8D57EEEC0ABFC3AB78D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075779Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:38.026{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC4F251D14CD88B4E2D9A6B6D2DC304,SHA256=3B6C14F6B086058249AE52AB52EC662B8CBCADF6BD49940585969A677747FA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055355Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:39.949{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF013CFCE3794B0A0239331EF15BFBC,SHA256=68EC7BFE6406E003B53760B74B6B411D30B3940866C63779983EDFB20437DBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075780Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:39.044{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D1BFA4C8ED1A326D7D78EA9D83DAAA,SHA256=1322A5610C25A89F09136B1BE4833A3AEE085B4C3B73574A1E35742AF6AD5280,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055354Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:36.576{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055356Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:40.965{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DB9A2FD01CA86CA8EA9A5C5038A589,SHA256=563AF03937C37B1185E8B9F2357A6343F0560D352FEFF34F5BA8656051D75D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075781Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:40.061{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AC323B512921C0D68CB5FB4C4DB633,SHA256=9DACB3CD8D85C90DA75D144734B0CF841A6ED4AAA472083D083E5FB0DEA22400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055357Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:41.980{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D837B44BBAE095AED9605EF8E5D9CFB3,SHA256=3CBC6D5286346AAEFF8D901E6CD7F73C701A1B03832A2016ECA4AC28C28E1ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075782Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:41.092{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAE0A5E8101425203AD61278C16C153,SHA256=2195CA438BC9800B1218CE0E8D0B8EA2D2A30AD34B76E404D242ECCA2676493B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055358Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:42.996{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F1C20EF7A07704400D72B9A216C32E,SHA256=E110A514278210E0E7F3D691B305DFBC4F2C2A092FB92CB99A446591E6960C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075783Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:42.121{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF9EDC5478C47B8BFBAE1AF8B7C2AEF,SHA256=7D0A33C3EF5BFBCD7787A620CB08020CBD6D8ED3338F6BE2D02AF04FDB96319D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075785Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:43.158{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD040C8E5EC9865A6FE6D2A25975E27,SHA256=4151D1CC35B7122E6B05243162B8ED180D0F0201FF7E401A915267F8E566B149,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075784Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:40.265{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56430-false10.0.1.12-8000- 23542300x800000000000000075786Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:44.188{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFF2AAA9098892ABA713C5E414913C3,SHA256=CCBDF2AF57A1F7C34302CF2FE2A797622D6BF637C46CB8C2AADF1F2E7982C232,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055360Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:42.607{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055359Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:44.012{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DC4B415B916B878CE42A0DA7B22900,SHA256=8B40251A230982EDAAB5098C6F464215D7DC1C04CB32F755793A92EB5739096C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075787Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:45.218{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110F0CE1299A2FE49BF49332C94EA88D,SHA256=01F3B8EC286840046EFD7A00D493D0762CD7C6473718E2837E20AEEF20FD4382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055361Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:45.012{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E05D9A8E5C948A9F6FC75F26EC13415,SHA256=9CBC04F42F2963392638FF6508B9D7599741DE15E194BB48C17C80632459ED7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075788Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:46.234{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B5DAEFDBD083D0C9138D72D9AA2CEF,SHA256=DD7EAD0342D11BE53CBF5ADEEB5756159813A587D99D82D41000502D05DF4155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055362Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:46.027{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72643E93E8C7C66E08D170DBF8A227B2,SHA256=4D35A7C3D6D0AB6C082B0D78768EE38B1AA78C2AED1AE61A094B5C565555926F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075789Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:47.268{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2536DBA1D1F0788B2FEE38408553D86B,SHA256=1B9933E5DBCBF6FA75AD4121C1FF2F8C511BDC71F98F212D0A6057DCE4087150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055363Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:47.043{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD93DAD84ED6E186B4927BAE790618B4,SHA256=DA03A40D039DAB8D0F181469D6D4A70930F739D37A61A48FE2D78E2F4AC4B0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075790Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:48.298{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FE67EF7CF8DF9115CE71B991252F3D,SHA256=88018FD5DDCC9D7AC0B58CBA2AB792672008A56E2A401FB64622F6872F227CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055364Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:48.058{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36208A3BE52DFEA66384B338B494F24F,SHA256=C0629F656877EEFCF8D9E7B4BA2B62F67183B046C041BF7FC119D0F1C181D471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075793Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:49.331{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F848C6781262EE078596C7F4FD7C8DCD,SHA256=98E47DFC41D44069A051F012BA29CB1B97D288FE5C6FB6CD5203192F42982996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055365Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:49.074{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F086F624562AC7E0D150B7DA3CDB44,SHA256=FF18486A32D4D64E5FD51C5A5BC3D32EA4EB6893BA59E6E5FCFB74F8DE6B729E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075792Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:46.226{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56431-false10.0.1.12-8000- 23542300x800000000000000075791Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:49.081{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055367Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:48.654{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055366Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:50.090{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA290E042FDED470CA354DF72D82A527,SHA256=4E9F87D347C1C8C7EF997900DB8A1EEDCB44DD5CAB270EC1C867C4E471E6CA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075794Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:50.364{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52756CE1791CB136939BB1599F84F32D,SHA256=EEE7742722299941A64E253E31EB67E200778EBEB2E809FCAD0F6831B1E719E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075796Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:51.395{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719A9D363F4A30AD97DAEFF37FFA1B4C,SHA256=FC2A6F6CE3928017096AAEB4B56C0C87B2BC76332DDA1EE2545C99FFEB59C7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055368Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:51.105{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38FE4DEF80F3F1ED62E8F9216AD7F32,SHA256=EEDE4EBD0B9CCF93A246D5D6CC8FDAFF6B0D12C2C2D998DE35051A3F8822CAA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075795Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:48.208{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56432-false10.0.1.12-8089- 23542300x800000000000000075797Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:52.427{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241AAA46C4088FF5925BA4CFB7149914,SHA256=F6408FE459BF929A23FB9E0E65C8318C7EDA4EB6BB0EA26877DFB4127E6379E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055369Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:52.105{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7D3ED76636630F470CF56C64DFC2F5,SHA256=D52834281AA23241C200D197D21F42AD39313D5021A7D87773429B1D40CFCF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075798Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:53.446{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF23EDAA4D7C04E6BCA9A4904FF9F602,SHA256=DF749EE960F6574789DCB0BDDD0674FBE4178B1771258CEC8059F78C293C7C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055370Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:53.121{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90727127E568E776F962E7664CB148BD,SHA256=AEBAB8F389061EB36E04D5BB518ACC8EE634670F93DFF45D09D00AFE8740C1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075800Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:54.461{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8257EDADF39F21925BD781858115BD99,SHA256=225EDA1F3C1235A6E68C9245805E1A5AA60B75A7CA04EBAEC9E5C0112DCC05F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055371Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:54.125{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8511835935DDB3A4E68F04539689ED30,SHA256=0056C0B6BB8D0124BEF840F1AE82AAE451A96DDEA877F3995F0C831E5E6D011D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075799Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:52.204{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56433-false10.0.1.12-8000- 23542300x800000000000000075801Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:55.491{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F40EEAA6615A593052F534C8D97ED6,SHA256=E190EBB8244EDEAE3AF913D17D5DB299808DB21230F103619BE560782BFCC767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055372Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:55.141{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAEF1058B91355A6B16B19124897187,SHA256=A9A3B8997E4D15609C7DCB044CAB8A5344D9857ADC0CB6369FF50C99E8D3D435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075802Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:56.524{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67DA83C5B535CF60210B0050BF84F1F,SHA256=4A7EB80E7C14DCA6CDDC71606CC86B7F7D9C756783CAB9B2B1D9E04270323B94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055403Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:54.673{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000055402Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055401Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055400Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055399Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055398Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055397Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055396Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055395Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055394Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055393Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055392Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055391Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055390Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055389Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055388Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055387Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055386Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055385Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055384Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055383Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055382Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055381Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055380Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055379Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055378Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055377Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055376Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055375Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055374Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.765{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055373Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:56.156{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FF957B77067F67635FA2E5B101361E,SHA256=71023688DF2659E6DDB55C430930922DF94F9DA1A128BDC8519D69AA00CC5714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075803Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:57.543{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FEC61D32C5FE0821C319AE6153D590,SHA256=842346A45566EA5DB6C48337CA7C519D47AB93A7A95A427F9F26884871F5E930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055404Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:57.328{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093047C3100FCB5DB7160CFFFE346585,SHA256=6EB643B3591D3F6979A79EC050856072031C19B825E4CF6A0DA3C1276DAACFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075805Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:58.673{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E10A0C1CF61F60397A445DACD86F674A,SHA256=A3B3A8309C7A76FA64AFDA8FC12C30BD86878C0B26FC43FD013843518D0BE1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075804Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:58.558{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36857C438B955E8957A3C3ADFF4C0B6B,SHA256=4FACC2CB38AE28E698F48F8BBB72A3F3D4628DB4B87FB3FFE8CE8F9D70D4912E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055405Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:58.344{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619E98A880353FD451DB44F528E1D3D1,SHA256=F40A1F00E7A19374B309E0B43889B7DB535BD466794F2404A1AAEB04AF98923F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075806Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:59.588{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9303FF3806671F4453F47B12C2487E,SHA256=29BB183929E91B95AB2918E4F56848D313C933D9B3E94BA6BD3354CF722BFCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055406Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:10:59.359{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843C3DD884480A09CF81643DA867868F,SHA256=7C573370BA41FD6D16ED49A41FB76358925D5263E48E01993FFD33E1576A6270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055407Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:00.359{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C7E3947F153CE27693AAA373C804E8,SHA256=64F1749DB74851DFC5CB9401F73180E5F44509713834785F8191DF1742A37952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075808Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:00.621{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29961DF1D1683822EABE974AC006399A,SHA256=DF0782FE418F370250AFC5DDE7F5C6F8E385DE375F6EBAC81E9A0CA940AC27B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075807Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:10:57.347{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56434-false10.0.1.12-8000- 23542300x800000000000000075809Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:01.654{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6B20ECFFDA9550D668B62D413D5453,SHA256=C7E512023E3EC38B518C0F8E62BDFDE58088D2278FC8D5EDE1027B8B91FAC37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055408Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:01.406{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868883D320493C8559498DC8EC19B7D4,SHA256=BEB1ABED6A949EB6B53FE74DD793F46352F4A4500A3E7F4582776CAC5D728B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075810Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:02.684{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822833785A0D0CFF9C0B2CB7628944D1,SHA256=D5BAB1DED9EFBD53D50941502F6395F5EAD80B820BB51951E174C1033A299732,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055410Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:00.705{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055409Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:02.422{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D2233F2E03D01E01CB78ED894CEA15,SHA256=64F98E0B83CA66FBF79E79969C1881B0E7274E19B960DAE94424745009A46A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075811Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:03.699{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D63712C7836EFC0E2D288BD5E13888,SHA256=93381BEE24E2FA37E810D6C79C061B56088B4F5DBF031AE4DAB2467B70DD97C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055411Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:03.437{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EC636570885A64A9DE7ADAA3CBAC6C,SHA256=981D6057B81E003F8190C05F5EC24FEB1A4FEFE62E80E12DF482FD61DB8C5ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075812Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:04.715{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8E33EA80D147B71514FDBD150E9081,SHA256=1945CDB1CBE1A66EAD7CDBE6F69910623D9210F11B933E4A87F8BC7B3EC2E49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055412Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:04.484{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513898F27AB314ACFECE9EB25CC11089,SHA256=DCAE8B1DCD704CB7D454DD6AB83AD2ED5267DB558E6089F74BAB82B8F0D1D5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075814Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:05.749{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C1DAF6CDFE618792936A8D34B7D5C0,SHA256=BF07910E993FEAD04C0C7A7479371A054D85BA86936D1A62DE4600E992F87510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055414Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:05.885{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-269MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055413Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:05.502{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB37F9E2CE05D1B6D6FAE5D03CE4F760,SHA256=E7D6D983B5B9C9745259795AB1AF9F836905F9674E8742FA00DA4EFC7F19EBE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075813Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:03.277{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56435-false10.0.1.12-8000- 23542300x800000000000000075815Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:06.779{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE99F3BE1FE000B3985D35DB7162560B,SHA256=53634636CE890EC44245C42194B1986FBF736D1F738DD095B34F302D7A05F6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055416Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:06.884{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-270MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055415Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:06.523{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713D1B896297D66FD0C81A911825935E,SHA256=EC0C8BFCD1AC5EDE35D1DB2C7729D910C08D3CFCE30E68B751F5D16908A00F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075819Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:07.813{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29903D637D0704EB05E89A9DE838734,SHA256=47BECB793629740E3DBA461455D2C70BAE49C53F53D405BE41DA22E6B0C2D735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055417Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:07.540{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E896676CEAD8D10EC205DDA521B1B52,SHA256=EEB31266A233CA20FD7CC65E59FD24DF3B98154E2510C2DDFDFC46769788D588,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075818Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:07.578{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000075817Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:07.578{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075816Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:07.578{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1052d15.TMPMD5=5DC7F12925A3AFE1350E22C4D18895D4,SHA256=C9B1BF1A545F85BBFF7598EC849E260DBCB3503CF53B1AC3CC4FEE256B700E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075820Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.846{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5424DF8A233344D3AB01E1AE418F094,SHA256=F6E618930E01F61A10556784B82F7BD8E48DCDEE21B60EC4DCD2BF7A46B65F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055418Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:08.634{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98CC704BAC06BEF3BE044CD6448D8C7,SHA256=1AD0A9EF9B13AE7B000BA5D07003DA9CB5AA7392CD097E6E3A53EC129A102EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075821Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:09.876{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB03974630CF597C8F64B8427F6CC7E,SHA256=470215D46829585B3EF3FBF62C0D35BC7B24B5B11FD7BD3A9D19989130CBDC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055420Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:09.697{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6FDCB69F1C72F5E6C524F3C3A58523,SHA256=BD8FBD9AFF7B9BCA24661B097994A62F3F298A57136D307411880949A6F9987D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055419Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:05.728{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055421Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:10.712{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5F8AF29282A54D1309DDE1F5F9B15A,SHA256=486FE889234292D76B960E059CEA464308F658B06E8701A6AC3EF9C001BEA342,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075870Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.181{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local55594- 354300x800000000000000075869Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.178{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local56860- 354300x800000000000000075868Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.178{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local62742- 354300x800000000000000075867Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.177{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local60048- 354300x800000000000000075866Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.176{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local62224- 354300x800000000000000075865Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.175{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local58591- 354300x800000000000000075864Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.173{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local64186- 354300x800000000000000075863Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.171{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local61134- 354300x800000000000000075862Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.170{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local49823- 354300x800000000000000075861Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.169{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local55829- 354300x800000000000000075860Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.168{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local60235- 354300x800000000000000075859Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.168{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local63308- 354300x800000000000000075858Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.167{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local59592- 354300x800000000000000075857Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.166{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local63472- 354300x800000000000000075856Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.166{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local58688- 354300x800000000000000075855Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.164{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local56823- 354300x800000000000000075854Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.164{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local60063- 354300x800000000000000075853Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.163{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local65086- 354300x800000000000000075852Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.162{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56829- 354300x800000000000000075851Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.161{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local62441- 354300x800000000000000075850Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.160{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local61447- 354300x800000000000000075849Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.159{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local61787- 354300x800000000000000075848Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.159{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local59434- 354300x800000000000000075847Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.158{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56087- 354300x800000000000000075846Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.157{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local61923- 354300x800000000000000075845Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.156{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local63235- 354300x800000000000000075844Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.155{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local60559- 354300x800000000000000075843Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.154{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local56469- 354300x800000000000000075842Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.154{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local57714- 354300x800000000000000075841Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.152{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local64525- 354300x800000000000000075840Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.151{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local65023- 354300x800000000000000075839Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.151{2F630BB9-8EB3-611B-1300-00000000F001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local65023-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domain 354300x800000000000000075838Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.150{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local64921- 354300x800000000000000075837Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.150{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local55276- 354300x800000000000000075836Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.149{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local57750- 354300x800000000000000075835Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.148{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local63645- 354300x800000000000000075834Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.147{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local55276- 354300x800000000000000075833Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.146{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local64537- 354300x800000000000000075832Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.145{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local63237- 354300x800000000000000075831Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.144{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local61805- 354300x800000000000000075830Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.143{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local50245- 354300x800000000000000075829Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.142{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local63800- 354300x800000000000000075828Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.142{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-86.attackrange.local63800-false10.0.1.14win-dc-86.attackrange.local53domain 354300x800000000000000075827Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.142{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local59415- 354300x800000000000000075826Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.142{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local59415-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domain 354300x800000000000000075825Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.136{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56437-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local49666- 354300x800000000000000075824Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.136{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56437-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local49666- 354300x800000000000000075823Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.136{2F630BB9-8EB3-611B-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56436-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 354300x800000000000000075822Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.136{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56436-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 354300x800000000000000075873Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:08.387{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56438-false10.0.1.12-8000- 23542300x800000000000000075872Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:11.909{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B583E9762D57E5EB36957F950A699376,SHA256=0B1EC62EA53DBC5C4E55EFBC6235B3DF2A88C582B60202D019C8FD2CDBB96813,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055430Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.962{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D18F-611B-930B-00000000F101}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055429Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.962{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055428Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.962{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055427Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.962{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055426Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.962{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055425Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.962{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D18F-611B-930B-00000000F101}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055424Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.962{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D18F-611B-930B-00000000F101}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055423Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.963{8A88D375-D18F-611B-930B-00000000F101}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055422Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.728{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E063579A15F5E0E6919C9B867D4959,SHA256=5D0B5D12144E1697B78A355D8ECDC1242BCB6B60985671352E9A2DE6E9F52282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075871Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:11.390{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA3C57B841CACEA2B3C27767C6B36FE,SHA256=02E3BDDC18A5C1E1964F082C35818BA8A9405C3B1CD1330AF04D6996E062E5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075874Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:12.925{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB6696B9CC9EDCA903315634714612A,SHA256=5D25EA500C7B1ED701665D1F5C773AD5A5D6A0E8153563959991195AF74868D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055440Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.884{8A88D375-D190-611B-940B-00000000F101}60084944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055439Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.759{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECDD4CCE312638E45FDC1524DE79100,SHA256=481E32B061277EB2010719B3702EBBFFE1B83F7F7C6EEFCED7CD26F1D57C7949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055438Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.665{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D190-611B-940B-00000000F101}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055437Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.665{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055436Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.665{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055435Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.665{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055434Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.665{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055433Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.665{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D190-611B-940B-00000000F101}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055432Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.665{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D190-611B-940B-00000000F101}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055431Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:12.666{8A88D375-D190-611B-940B-00000000F101}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075875Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:13.956{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8654CD3D42642EE0F5A70E7D6EDD8FF6,SHA256=533E18D449BC30C2203D506F89C42A16FA2D9FD6637E1D4B30D93D398A3ED5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055458Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.863{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68F145CD527D671CFD5B57CCAB36E3E,SHA256=FE1C2B8177D72E7D303DE0186A426271674927A719E255C37FFD29CF200E62F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055457Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.847{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D191-611B-960B-00000000F101}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055456Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.847{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055455Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.847{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055454Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.847{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055453Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.847{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055452Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.847{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D191-611B-960B-00000000F101}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055451Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.847{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D191-611B-960B-00000000F101}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055450Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.848{8A88D375-D191-611B-960B-00000000F101}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055449Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.494{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2F3ADC68F7A9A14CFCB68634B2BEC50A,SHA256=D60CBA8570957E2D4A081C0B1880F68606AD55429353908F663B50A639CAB1E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055448Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.165{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D191-611B-950B-00000000F101}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055447Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.165{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055446Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.165{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055445Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.165{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055444Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.165{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055443Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.165{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D191-611B-950B-00000000F101}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055442Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.165{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D191-611B-950B-00000000F101}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055441Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:13.166{8A88D375-D191-611B-950B-00000000F101}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075876Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:14.986{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC539DAC85B4D7133D589416D2210847,SHA256=109E219693EAAED8267DFC56DB71638C901AB5B6F0EF683640FB2554BADE1BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055464Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:14.910{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764109020A6F2AE66B88A8E506B6D398,SHA256=A69F1F0CC71E624A2E6C0057193776F892D90EA13B0988EEFDB9F09DCF5102A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055463Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:14.785{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055462Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:14.785{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055461Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:14.785{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055460Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:11.683{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000055459Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:14.019{8A88D375-D191-611B-960B-00000000F101}14645056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055474Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.941{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E921F7CAEF685C0D1558C2F7EDD9E886,SHA256=EB0FBF1C964DF37B39BDEBCF738C0B9EA6791C0AF011F6884971352A448F2524,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055473Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.894{8A88D375-D193-611B-970B-00000000F101}30362532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055472Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.707{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D193-611B-970B-00000000F101}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055471Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.707{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055470Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.707{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055469Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.707{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055468Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.707{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055467Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.707{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D193-611B-970B-00000000F101}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055466Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.707{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D193-611B-970B-00000000F101}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055465Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:15.707{8A88D375-D193-611B-970B-00000000F101}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055492Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.973{8A88D375-D194-611B-990B-00000000F101}18162468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055491Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.941{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4113ECDD8C1251ACF217DA50BBBF93F,SHA256=FBDBA18115BC2A86AC378451C50DE628A6B5FF473F8E0478EAA1C622050D8B94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055490Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.785{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D194-611B-990B-00000000F101}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055489Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.785{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055488Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.785{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055487Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.785{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055486Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.785{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055485Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.785{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D194-611B-990B-00000000F101}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055484Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.785{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D194-611B-990B-00000000F101}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055483Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.786{8A88D375-D194-611B-990B-00000000F101}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055482Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.285{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D194-611B-980B-00000000F101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055481Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.285{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055480Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.285{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055479Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.285{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055478Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.285{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055477Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.285{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D194-611B-980B-00000000F101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055476Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.285{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D194-611B-980B-00000000F101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055475Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:16.286{8A88D375-D194-611B-980B-00000000F101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000075879Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:14.181{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56439-false10.0.1.12-8000- 23542300x800000000000000075878Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:16.304{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-277MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075877Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:16.004{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB27DD540B986B7B503F2381C5D4CB5,SHA256=922F1293D0B078D960F7034070C41046D582FF344263ADA5BECBD51BBE5D24D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055493Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:17.957{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F40A4714362E4647834DA87A74BA9A,SHA256=2809CCE5B0E3AA33353B48500972B18835C0B5A7CB76F3B544B95CDD9682E479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075881Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:17.323{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-278MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075880Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:17.022{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC65751C87800DEE2B0285541F2FED3,SHA256=6112BD827F7FF2959B01C8FA8B8948DF37AE91CFEB767FC67C81A0112C265E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075882Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:18.037{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C416C565905B37B131392E039946B2,SHA256=22A5200E340EC751F328CFB743262CE0E1D49ED68631B8DA5C4BC42A756DB483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055494Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:18.707{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075891Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.382{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D197-611B-880D-00000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075890Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.382{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075889Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.382{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075888Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.382{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075887Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.382{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075886Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.382{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D197-611B-880D-00000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075885Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.382{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D197-611B-880D-00000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075884Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.384{2F630BB9-D197-611B-880D-00000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075883Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.067{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50515BC8742A384B14AC6128B275E5FF,SHA256=248CFBCEE5DDE63117523221C457926D8468F908F5BEC974B761A0A9627C99D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055496Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:17.536{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055495Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:19.128{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF26D012551BF0E023D3EC8577352A2,SHA256=1631BF0D11409A4EDD3473039D3F4971AD18BAD2F1D1D6A9684777F870280100,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055498Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:18.177{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000055497Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:20.160{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55463D421728180D474FA582F518314C,SHA256=BF0E4287A9D9CE664D94941BA65B819E952AF31139976A34B260460B12CD3064,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075915Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:17.813{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local58964- 354300x800000000000000075914Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:17.812{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local61728-false10.0.1.14win-dc-86.attackrange.local53domain 354300x800000000000000075913Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:17.812{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-86.attackrange.local53domainfalse10.0.1.14win-dc-86.attackrange.local61728- 354300x800000000000000075912Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:17.812{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9820:8a96:3ca:ffff-61728-truea00:10e:0:0:9800:4c00:2104:d00-53domain 354300x800000000000000075911Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:17.812{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local57925- 354300x800000000000000075910Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:17.811{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local55276-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domain 10341000x800000000000000075909Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.734{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D198-611B-8A0D-00000000F001}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075908Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.734{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075907Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.734{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075906Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.734{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075905Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.734{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075904Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.734{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D198-611B-8A0D-00000000F001}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075903Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.734{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D198-611B-8A0D-00000000F001}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075902Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.734{2F630BB9-D198-611B-8A0D-00000000F001}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075901Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.219{2F630BB9-D198-611B-890D-00000000F001}64165988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075900Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.081{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA30F377D16D53C579D39EB28CA7B94,SHA256=1FAC35A321F96C78DB4A78C20723208D8E2598868D05950BF9539D8DBC21899C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075899Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.066{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D198-611B-890D-00000000F001}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075898Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.066{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075897Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.066{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075896Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.066{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075895Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.066{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075894Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.066{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D198-611B-890D-00000000F001}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075893Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.066{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D198-611B-890D-00000000F001}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075892Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:20.067{2F630BB9-D198-611B-890D-00000000F001}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055499Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:21.207{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C027863DF5EDFE274D6DF3821DE31F9,SHA256=AD5E903CFC86AA45D84B22F2AEE6E980D82D09BDE59928EDF06F6C54C49AEEEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075925Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.533{2F630BB9-D199-611B-8B0D-00000000F001}6776224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075924Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.401{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D199-611B-8B0D-00000000F001}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075923Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.399{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075922Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.399{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075921Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.398{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075920Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.398{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075919Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.398{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D199-611B-8B0D-00000000F001}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075918Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.398{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D199-611B-8B0D-00000000F001}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075917Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.396{2F630BB9-D199-611B-8B0D-00000000F001}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075916Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:21.134{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4EF0B9B57231C4919769E4CDD93959,SHA256=F847403E2380F92C6F67F04C7BAAFDC1469AF76F5869FA3482AD52A05199564C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055500Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:22.238{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DAFF42B6A944F859EC48F0D250A31F,SHA256=530EC5DA59CD43DAE4CB6AB4E4996FA298F401B803F5E7CC02EB873D80C216C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075945Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.916{2F630BB9-D19A-611B-8D0D-00000000F001}66525224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075944Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.763{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D19A-611B-8D0D-00000000F001}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075943Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.763{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075942Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.763{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075941Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.763{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075940Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.763{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075939Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.763{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D19A-611B-8D0D-00000000F001}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075938Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.763{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D19A-611B-8D0D-00000000F001}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075937Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.763{2F630BB9-D19A-611B-8D0D-00000000F001}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000075936Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.216{2F630BB9-D19A-611B-8C0D-00000000F001}35207296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075935Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.148{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A66A13F957B4970D1B9A45DCA079DC9,SHA256=E27EAC4371AF4107CE2D8044F822D3B1F92A21C5A63416F9831815CB18DC0D18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075934Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.079{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D19A-611B-8C0D-00000000F001}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075933Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.079{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075932Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.079{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075931Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.079{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075930Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.079{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075929Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.079{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D19A-611B-8C0D-00000000F001}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075928Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.079{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D19A-611B-8C0D-00000000F001}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075927Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:22.080{2F630BB9-D19A-611B-8C0D-00000000F001}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000075926Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:19.323{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56440-false10.0.1.12-8000- 23542300x800000000000000075946Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:23.178{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7633552BA3F076CAEE5D862FBE622BB9,SHA256=0D63994357E91F4753967488C434E64D639BFAD822822A7BB8F06F4361F9C431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055501Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:23.253{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2BCD8C729047551CCA2010747DDF3D,SHA256=738F90BCC46993D0F4B4FC4F91026B8A2FC8A2442AB83DD3A5D258B6F426F396,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075980Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075979Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075978Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075977Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075976Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075975Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075974Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075973Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075972Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075971Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075970Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075969Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075968Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075967Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075966Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075965Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075964Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075963Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075962Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075961Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075960Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075959Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075958Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075957Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075956Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075955Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075954Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075953Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075952Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075951Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075950Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075949Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075948Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.329{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075947Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.198{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6815481886CBF8FECA915CB5D815C1A,SHA256=01C7CDEDD8F06C5DAB3EFD94BD69C5A9542165AC451C9AC57A38A9BCA2FCF173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055502Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:24.300{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26CCB6BECD4D5A184F5BD52A30FBBD8,SHA256=4E68AC491DC5C8522344A2589EEA2C5C81D6BC7B93B6E95B0280E628A0BBADE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000075989Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.693{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A50C36CD7B7254C1C4074863B5AB24,SHA256=B1361B1503B11CA99102B6AB51369D3D00484654EA26BAEA97E0329936AF31CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055504Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:23.567{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055503Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:25.316{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B37FC526BE498D2EFC49B9F2C6DEA9,SHA256=C095E67593C510ECDE310F3E1312231881C9D0CB9B80CD50623A45E1BE611F73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075988Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.113{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D19D-611B-8E0D-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075987Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.113{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075986Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.113{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075985Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.113{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075984Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.113{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075983Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.113{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D19D-611B-8E0D-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000075982Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.113{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D19D-611B-8E0D-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000075981Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:25.114{2F630BB9-D19D-611B-8E0D-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000075992Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:26.711{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEF625566BA49C8DA46AD391212B590,SHA256=84D867C416035BC517D971BF881DB345978332C216FB601A7042EBA92BF81C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055505Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:26.332{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F96DA02BA81B9475FA6FA97AC90809E,SHA256=7B41DA62CCD49E80963746BFD030DB555928AEDD51B58FF3F3F0CC2FCD822D36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075991Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:23.955{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56441-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000075990Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:23.955{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56441-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000075994Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:27.725{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D652F78890DB39470E54CC24DF7C9E55,SHA256=3D9B2597264ECEA313D0BBF0D10273055A12BC046619319536424CF3FFA295F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055506Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:27.378{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9805807337741788DA822D448225FE5D,SHA256=9D5032FEE2F8F9A28E86FFCF5740060F7CA415191A8BE5B869CAEE0A7B299699,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000075993Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:24.344{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56442-false10.0.1.12-8000- 23542300x800000000000000075998Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:28.740{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3972F154F767331F643DF26D976CB971,SHA256=021207F3929738BB1AB3A7672835D336A01EAD9B6DFC6DD24F0276B16D747812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055507Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:28.410{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3856280568DE70125C0427E23408B,SHA256=71C8F9D1B5AA38F951C762CE5539FE9F5EFF98BFFAA30DD55FDE1F8BE1FB6B9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000075997Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:28.040{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075996Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:28.040{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075995Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:28.040{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000075999Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:29.755{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1BFA247D1E9ED05C586A06BF57A27A,SHA256=CC687AD83A6005E6B6DD64F32BDCA02A987C07DE7C205504E403B0FB87C1DFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055508Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:29.441{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20FC6FE3FCF54B6736681FF7FB341B9,SHA256=0BE3D4AD2786BE52C7CBE34BF9D33DBE9D2531EFAAC31766A66B4F8B1412DD2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076000Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:30.770{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C41C2F332185AA9F81E86C4924F7BD6,SHA256=B2B36FC574627517399A097418EF7632A881AFAF673AEBBD6A538C66D135FA5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055510Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:28.614{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055509Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:30.457{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B54DE0AF3C0796753E0F5EADE772479,SHA256=19F35793F15192376A9A3E28A85D927E054E7E7D49581931D9014AAB4A4DFD7D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000076002Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:11:31.869{2F630BB9-8EB3-611B-1100-00000000F001}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7937a-0x29498080) 23542300x800000000000000076001Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:31.789{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0EBA7E9834B787CCDC07619651FAF8,SHA256=515EFE6A18082DA5C91F8FBA24329BB6C8BD627310CD65CE7C60121892D1CCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055511Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:31.519{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69545CB7DE136C7B3B536A7D228F748D,SHA256=A585CBB0940B023EEC19103425E991BE9ACE31CBBE10C39A505FD093AF6FB07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076004Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:32.805{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37895DA00DECC7CA1DFBBDB6162761AC,SHA256=7F0927CA5C912A1C0A08D1F3BA39F7BD3DF29DB6F5A0535E9D0F38F4EFF14757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055512Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:32.535{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC4A19D67C7E80A96AF8B564F226579,SHA256=C16A36B774515475F5FF2CDA8E5A4086944338C1C4C9AF31470DD2CB40D68C94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076003Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:30.180{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56443-false10.0.1.12-8000- 23542300x800000000000000076005Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:33.820{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F087D05437D3D91138271FCF66AEE8AD,SHA256=F5EDB832D4EEA1385337AEE3587BCF113D74CBB676B4B42757FC5DA53DA2BFA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055513Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:33.550{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0FA52DE94F83A7ACC0861BC1527046,SHA256=41147EBAAB80B5EC427C798657B4253AEEB1E2423EBA202E7721A45612D50758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076006Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:34.834{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A7C9E6CE001106D0A61FC12C404E98,SHA256=AC082CBE75D0357F3D40489EDF4D6142E80198B32414072D4FB9A5288CDEA967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055514Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:34.572{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139C2FDAFCD1A4B965955C796D179BAC,SHA256=3FE0B39651FF23305F401468A6DDF804DF23CE8221B1BCBDCD4C301FD5CE42C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076007Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:35.864{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25A654ECA2F2F8B9A075B7277D4034E,SHA256=60161C7A8A2C6249D6004FF92D2EC96572B95E27AFFC70A22669BC75317F59CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055515Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:35.635{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47FC718869A2D19323CFED9490FA198,SHA256=0635086F9A38C9ACA421230389E47D9FBBA6D7F098444581C85355D7C7674443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076008Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:36.881{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BD040CF3724E50F60B20E657B52C51,SHA256=785C7F8896EF1946DE67700AE21C18A22A0DED10B2CDF4CD6CC24BE0DC5CFC12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055517Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:34.620{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055516Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:36.666{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89425A438B92F16A5AB421C883E681A,SHA256=78B64D03FF5679D16D17DEE3264BB905CDF93DECB1EF396B0CF61BC740BCC60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076010Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:37.899{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEBE9352D34579CA936A8DAA8649CBB,SHA256=7EB8ACD9989F7644DDB9FF3845A8EC3B6A3EE42A3F0EFEDD29769EDBFAB29CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055518Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:37.682{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F63E709C65F2E764886509773C2C7C,SHA256=907CDE4172D04E346DA2733A6CCCD4BFBF47F576DC0AD30BBA96B03214082547,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076009Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:35.274{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56444-false10.0.1.12-8000- 23542300x800000000000000076011Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:38.914{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9626BEA6D34EAFB35351CF28825A6A18,SHA256=11150DDD025B105D5453CCE9A9991587F336E8BDC4B2CD4FC7358B52C3660F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055519Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:38.697{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F45F8BC8D447EBE6B5F5675F72A425C,SHA256=59A8F8938DA6C87272051AD094960D02D1BE8F96AECEECF6DB7E10F1DA827C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055520Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:39.713{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0536C015DD072F22D8A169A8E87407,SHA256=70558650615DD250B935E702476A29F54101BFB53DD51DDC096D9098A0899EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076012Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:39.945{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398EFF41038714B5BB47D0BEC1F968BB,SHA256=436737BE8737DD683E05F33EC437F7B4634E6DC38F76C7F081F9AF561ADD6809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055521Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:40.728{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73F9FA4539C81016E4926CE9D059051,SHA256=2B1B81978B3264B95BA4F299253304D0A3EEBE471DEA22011E8D6C4009E4DA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076013Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:40.977{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAA8E3557DFC77A7F78498CB49B38AB,SHA256=8A23F6CA94656794F6C8571199BBD5129C632A3BAB95261B1C86E5418D727E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076014Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:41.996{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED9D51F05BC7B4582DF79613F1F0588,SHA256=DB5836B7023022B0D8C5C088E1E562DC5F3553036655113259B7567ED76705A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055522Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:41.744{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FF2944B64776C38B2697CC125C0140,SHA256=8F298B7FD9CBBB9D3E2611CE1055F640122E37614E568F35DCB0DC13371B1D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055524Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:42.760{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667EC7CFE99AB80490F22898730A1168,SHA256=1DD6ABE817BD783914F476264B22523B2AC8E5AA5D137A64A5A9036C43B1C163,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055523Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:39.699{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055525Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:43.775{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCF926F48D2418BA756561F09009D76,SHA256=17CDE97F947E36476431B63140412486B9EA7ACB31B0EF17DD65E27F541393FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076016Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:41.215{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56445-false10.0.1.12-8000- 23542300x800000000000000076015Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:43.010{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16887BB7F50F180CD6550A5667F02CD4,SHA256=2FEC1C06AB608AA71B9FC4DEB3F0BC8F9510E0630114C4D12307CB862E00987B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055526Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:44.791{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C981861E64FE352DB1D0179FF2C234E,SHA256=01119506B35FF1BAFC9CC91B1617818B54172A37F558DAADEE377608F1B2BA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076017Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:44.040{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946834223C2E0FA208179512464CAF51,SHA256=1BF77EB78FA9D054C0B657275C0009E62C3EF762BEDA504752716B71BF3EFF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055527Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:45.807{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB2F74540D73F11E3F4E9235F8857EA,SHA256=02B24EA652FB60FFEA2223DBDA12E786A8B77135C23B60F737E6ED22B62CF940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076018Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:45.054{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F6EEC93870DE056F67A73CDB428A0B,SHA256=A2EE53CE9A9B0443ED16D08DDF6C531FB10F1C7026547A4AE35353A5EA8BC36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055528Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:46.822{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8CFDAC11085459E7632B7A50425B2F,SHA256=02683EEFBB167812B1319BA083A2FC62664543853ECE678F76021B1804243CB7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000076022Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:11:46.138{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000076021Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:11:46.138{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EEE851C9-D76F-4DC5-8941-E56B2E5B48D9\Config SourceDWORD (0x00000001) 13241300x800000000000000076020Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:11:46.138{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EEE851C9-D76F-4DC5-8941-E56B2E5B48D9\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EEE851C9-D76F-4DC5-8941-E56B2E5B48D9.XML 23542300x800000000000000076019Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:46.091{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7942F73BA5BB9B6B4581F12A941D4CA5,SHA256=A7B298AC6547F6076AFD1B677D66B002EE6E01B9D91F8CF775993F752C6D3447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055529Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:47.838{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F61ECC6DC1FD50F830A547B0EC5742,SHA256=9B203745915350D04344283C00C801BA5DBBAAB290A94D8D98A681F6327CBD1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076029Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:45.299{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56448-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076028Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:45.299{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56448-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076027Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:45.294{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56447-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076026Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:45.294{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56447-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076025Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:45.281{2F630BB9-8EB3-611B-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56446-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 354300x800000000000000076024Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:45.281{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56446-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 23542300x800000000000000076023Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:47.121{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E16FBE8458F2054EB41E45D84459B8,SHA256=548F6A6DF8B646180965E469620A9C7928F355304D59B12A8899DD62939ECD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055531Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:48.853{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040EA4DAA15FC8F59EDF01B7A3AF5B76,SHA256=B1E640589F61E74BBAD6B72634517903AEBEA3A4B84654A5B40F2FDB79D13021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076030Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:48.136{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9A078C14EDEF6091849CFD75D0494B,SHA256=5177286C75DF4397E679CCBF2E96A55AE918EA8B1A9B470710ED50748F920AF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055530Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:45.745{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055532Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:49.869{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACD7EA7D5CDB87A56F0168405DF4BDA,SHA256=09EF8513C477C824A89BD9002DB250A615B302493A9B5D242B98F430682D413F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076033Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:47.246{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56449-false10.0.1.12-8000- 23542300x800000000000000076032Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:49.150{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF842FCC9E1E09F3398F55C955E1DC40,SHA256=D74B52668E4D7B7BD621815F88C29DB98EA59B066CCF8D74A05DA99D4AFC624D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076031Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:49.103{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055533Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:50.885{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1644C0E930B0A1B107CBD2A8DAD4A6EC,SHA256=EB0C2F94CAD46EEDC235A6883ED24F15204AAD2E995AD72FDF7A43AF6009C7B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076035Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:48.229{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56450-false10.0.1.12-8089- 23542300x800000000000000076034Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:50.167{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F7255A748919EF5980CBDDBB796C5BC,SHA256=A9E0C55C377EDF8DB487D44B5060E10BE3D1052640619BD4A93F8474CF6B7B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055534Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:51.900{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7C0DC64D7EAB9AC8AA2902E5387C3A,SHA256=D8E2149605628E0E98A764726367BD5861784DFC7AD4B38408FC5FF5E7F6E709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076036Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:51.200{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33C5AF2D4716B11064380BB75E1575E,SHA256=0F5E0BFEA78FE0AED42281F0D6B274999A3845589A5F7E2D101FB60C93C85DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055535Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:52.916{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5872D558272F66137FC12BE0A9DE6621,SHA256=162A5252F9D1FEA17A966334AA88E09CCBA18E3AD9C1CFA91E8F70D2FA4E5CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076037Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:52.215{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2600468B70001E43164C454D73F6EC,SHA256=D0868361E0DA2B58F443063C47398508850D26CFE2093CF859437167FFB0D17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055537Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:53.918{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD2962B893D00E3D27092EA87AA8D5A,SHA256=DAA906C4F71B8819DCCDAEF865F428D60C7FC46B73AF1EFB99A0AE19107336F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076038Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:53.229{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F399AA4F974CBAC63C4043E2EABB3AA,SHA256=4E14B55D6EDA06EB1B9FCBD4467F22ECAC90D57FF6AC3BEDC0FEFD07E6002D07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055536Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:51.683{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055538Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:54.934{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9C3FD5E171A60817453CD1BF2CBA80,SHA256=0DDA34F3A8BAA81635B7A118899121733685A3249FDBE946226FB8625608E23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076039Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:54.243{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118BC27B2DD8F64DD714B1FFB4679FA6,SHA256=F27ECB889715B555AAC1573F3CF3A656A2ABFF959BE45C2EEE6319A3E83B65D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055539Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:55.950{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30F1864AFDE24C626984AD538EF3443,SHA256=D77A605F7FFB1D8310B269A14363661503EF3DF778FE1943DF9CD1824EABFEAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076041Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:53.269{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56451-false10.0.1.12-8000- 23542300x800000000000000076040Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:55.260{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CAA1D3C60E30DC51CF5BBFD051317E,SHA256=D3FCA250B85BC3AB85AAD3926D5B43FEC8AE2C25C9D6233FD257B58681245E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055540Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:56.965{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAFC6D2DF8C88AD9111C6FE3E738848,SHA256=8C362565732AE157AC92397BF89B30F60A055581DC5E2D06DE7A7C365FF57A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076042Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:56.279{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD04E4CE99BF1F71C56753C4FB01DFF5,SHA256=58F22955E0449B2CDB754C73F9AD070147225296839278FD50EFD39620F60705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055541Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:57.981{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2338EF5690D35E4C16121468857F105E,SHA256=CDCC9801E961BC2C73481AA594B1E94D397695D81CFB575F9705B49FD231C4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076043Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:57.293{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B46880B517790D928054FD430A0D4D,SHA256=D5C9CEF0B784B4B015A2E1555C1A8E54C5EFF23DC7F103E07569E8F2AE9CE56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076045Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:58.676{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=38DDE465027BFD07EA9C9AB34575B05B,SHA256=B1AF56503C259F24CEBCB27A4255F090B87A7DCA8AEC5390071392E4855A41AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076044Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:58.307{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB93104C344929FC1CB2A537076737,SHA256=43289E34BF6BEA21CBDD7BBC292E0A904286DDA8B2EA2F5D47ADC4650AF58F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076046Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:59.338{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5524A3BBFE6A09F8A1D80FF0602F73,SHA256=862547F63F70E78A41740C15C58556F86E001AC55248A5EA71BE5FC2566A7B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055543Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:57.607{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055542Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:11:58.997{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E19B79D2F6079FAB0069071E7BF6E4,SHA256=DA08E2634E4E65EF2A8557BC777D41B4ABDE1A2CBC37A40B2A784090319EFEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076047Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:00.374{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C4E78153B42B0F378F3D8A58AB7FCB,SHA256=D828CB44E93701946E877D6ED98545B46EC65E58C192790B9968EFD0734C4885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055544Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:00.012{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2802EC76F4CE75C9C953121D41DCD4,SHA256=FFCE2CDB6B298F15BD883CBD4BED64930EB5CF5569EE130E6A04D7B8810B456E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076049Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:11:59.216{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56452-false10.0.1.12-8000- 23542300x800000000000000076048Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:01.388{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554A9408DEEC640CA4E546A8830E295B,SHA256=850E0C0D192C3971B95B87A0F15DB5FFA4471CDBECF6AF485F74A49764DD7418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055545Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:01.028{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AE0C68797209542DC5EA9CFC7C1628,SHA256=732C6D72FD30BD078085F910383F3A07D4B75D8DF2BDAB6BFD597C6F71FF2DE0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000076051Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:02.503{2F630BB9-8EB3-611B-1100-00000000F001}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7937a-0x3b8beed7) 23542300x800000000000000076050Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:02.403{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CBF0CC0A18E2E986197D530ADD1B99,SHA256=AAF60E9CC04C2823CA8E16C23EA1332F0A8470CB0B2BDE1DC6662DE58D8E2D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055546Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:02.043{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DC74CDFA7CF983729DD1795AF01735,SHA256=1820534C9D2422902AC0A3BD669925C36B224D26591FD86840879CD01E2D7B7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076053Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:01.629{2F630BB9-8EB3-611B-1100-00000000F001}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-86.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x800000000000000076052Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:03.434{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF16C0E465BB5B37AA46561096AC3BA,SHA256=A5E4E50E5285907F08C764D85783A840E295F2BFFD7489ABCE6A9CF8DABA3DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055547Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:03.044{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74318A2C3B7925F6475B538F9AF0640C,SHA256=573307B8683E5547150760461F085BCDC6106EE9F7D50A829353A6FAB1009ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076054Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:04.454{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707F866F8A450C2F06D4A23CDAB85D88,SHA256=145A4542F12360F58911153F190B28B52AC7455E8A9866168A2ACF68495D4C51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055549Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:02.686{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055548Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:04.059{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA6E73E757E7E1010A004E98D40D888,SHA256=64F7F158A09507468EA0D7DF673703B573028D973574D301ABBB8A66A9A34CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076055Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:05.469{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56792563FD4DDB09D577EF5F0F2DA816,SHA256=A0A9DAFA915D62043E7D3225602910D07C8FCDECD58EDE042D581879767EBD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055550Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:05.075{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24C43EE0551CB6E83F7A187D27013C7,SHA256=D59BF5195DF18CE90077C8FE8983D0A756DDF112290F7BF1A85929E3626FA485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055551Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:06.153{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDA83DF3F98774A15E78E6C06AF6682,SHA256=7265FDCCA94344D6B72F92EEA1FABE2CA08F912DBE254CCFEE48611AEF5835B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076056Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:06.484{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA17C70C220E87F5B908F0B45D8A0C02,SHA256=6536BE853D14B974258EB5B2D39C18940DA9433533F46D577D0841DEE83D38C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076058Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:07.530{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\aborted-session-pingMD5=9266BB3F3B0CDA99904E78FB76643592,SHA256=C6BDE726EBDDD451B8BD5EEDD3E7D88DD74DAF7B9911EAD45C215B5FF84C1C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076057Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:07.499{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A9853CFCA74D9BC2BB305785023FE6,SHA256=21658782DFADDAF2A319CAC2D5E004CBF0FBFA388F1526E02E629706F03AFCAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055553Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:07.408{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-270MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055552Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:07.201{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656AE762A33429967A225FC615E28C8C,SHA256=DA7852B5D8A368CB6496014536B7BDDD3586083E6E579EECC9B25F561622FE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076059Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:08.529{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B559F442CF10A932F3504DA804F10C5,SHA256=D7E759138E956941866906F214C63FFDFC92E93EF507B57A8F381A7DECF357F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055555Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:08.408{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-271MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055554Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:08.234{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A458B7420A6AFB70494A643867709110,SHA256=AD2EFBB65B2F8422F3AE3320AD1EE741D4745EC14531A7E0FD4C79BF1D16D7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076061Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:09.565{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A9EA8BC9DCB4A0020B99CBD76C8395,SHA256=521D4A8AEC22BEB9E0F01677AE5E3235B6C8C7C2DB22375783CAC1C1C219E1CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055557Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:07.735{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055556Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:09.236{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55663B258D2D8C4F2CF64924B830E8E4,SHA256=74A4463DCDB906ACA2D271A0903E01E990DCC1C9EF328C3239620C8E26D6B520,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076060Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:05.189{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56453-false10.0.1.12-8000- 23542300x800000000000000076062Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:10.566{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F237BC472F2D8DAFDFC7B55679A53A,SHA256=74A0939993576978D5EDA78D642B2868C28915E75AEC070225B1C9D8DB3B4658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055558Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:10.283{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBDE3E1D87C49855D0AB9F80973ADA9,SHA256=CD2BE3B6314DA83E0BBAB7D0F83C05584D6A5F65E8BC93F2E86573AFF55F901E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055567Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.971{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D1CB-611B-9A0B-00000000F101}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055566Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.971{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055565Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.971{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055564Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.971{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055563Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.971{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055562Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.971{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D1CB-611B-9A0B-00000000F101}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055561Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.971{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D1CB-611B-9A0B-00000000F101}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055560Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.971{8A88D375-D1CB-611B-9A0B-00000000F101}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055559Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:11.330{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1FC42BA7A5CE091EED8805525D2F3A,SHA256=3FA40743026B44187DB42EA60AFDF525A4126DE3173FEC21B607F2C0EDD07538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076063Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:11.579{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E11291DEB1138394428DB22CBEE3A6,SHA256=9D5B11D59AB229A8CF90BAB583D51420C279356DB5614A66A6F7D4CE8B2ABC90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055577Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.908{8A88D375-D1CC-611B-9B0B-00000000F101}41082348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055576Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.689{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D1CC-611B-9B0B-00000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055575Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.689{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055574Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.689{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055573Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.689{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055572Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.689{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D1CC-611B-9B0B-00000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055571Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.689{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055570Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.689{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D1CC-611B-9B0B-00000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055569Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.690{8A88D375-D1CC-611B-9B0B-00000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055568Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:12.393{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0720B343C0DD14C9809ECB6451325D8D,SHA256=324C3D76CBC366F01BDE793C8CC83638709B7FB7BEA8C0CBAA1A87A0B3F6ABC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076064Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:12.593{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7688C16B26AF584D2EB52217761D0B38,SHA256=1C235EA973C3F4B5124F8C7C8A53B57665F04EEA5E8DB54E11BBC63DAF75F857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076066Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:13.624{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19312E1E33CD77186CE8E5CEB5458427,SHA256=64C4CFBA5A69BC9841B72623EC93A0220EE76BA178D42749781C4328A4B35C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055605Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.855{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D1CD-611B-9D0B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055604Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.855{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055603Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.855{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055602Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.855{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055601Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.855{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055600Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.855{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D1CD-611B-9D0B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055599Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.855{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D1CD-611B-9D0B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055598Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.856{8A88D375-D1CD-611B-9D0B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055597Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.502{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2EAFE1AB492A6B0BC535C0B31CB89D71,SHA256=00C472EB41081C7A078EE879C0DEE51A582CB5669F49CE62DF44FEC740CA335B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055596Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.440{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C24B2E303B6B8D9D0E27380731A3458,SHA256=4B978CD2D5F470B6BEB1E8F8BFFFED624A4B9072133F74CB50F747DC9C8323DF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000055595Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000055594Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00fe9dc3) 13241300x800000000000000055593Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79371-0xdfc41040) 13241300x800000000000000055592Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7937a-0x41887840) 13241300x800000000000000055591Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79382-0xa34ce040) 13241300x800000000000000055590Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000055589Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00fe9dc3) 13241300x800000000000000055588Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79371-0xdfc41040) 13241300x800000000000000055587Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7937a-0x41887840) 13241300x800000000000000055586Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:12:13.330{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79382-0xa34ce040) 10341000x800000000000000055585Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.189{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D1CD-611B-9C0B-00000000F101}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055584Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.189{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055583Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.189{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055582Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.189{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055581Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.189{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055580Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.189{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D1CD-611B-9C0B-00000000F101}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055579Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.189{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D1CD-611B-9C0B-00000000F101}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055578Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.190{8A88D375-D1CD-611B-9C0B-00000000F101}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076065Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:10.337{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56454-false10.0.1.12-8000- 23542300x800000000000000076067Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:14.641{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C75100C3126EC19ED8C7E12A518C0B,SHA256=EA05A270C4B5D900821AA3F000594078EA069971566CD93F69F9858AF9501F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055607Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:14.449{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69A2DDD5EEC51E71B38E2D515DD9A4A,SHA256=CE3704381FCE589A693CDC8925F523DB25D9411B6C48777B4CCCD02ED6D385AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055606Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:14.012{8A88D375-D1CD-611B-9D0B-00000000F101}41485240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076068Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:15.659{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C27DE48E71B9F4763F862DBEB2F96C8,SHA256=2C3B552BB57D93AB353CBF670DC5F822F059194D66B5605C4E0DF651890493D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055617Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:13.606{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000055616Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.699{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D1CF-611B-9E0B-00000000F101}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055615Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.699{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055614Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.699{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055613Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.699{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055612Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.699{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055611Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.699{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D1CF-611B-9E0B-00000000F101}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055610Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.699{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D1CF-611B-9E0B-00000000F101}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055609Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.700{8A88D375-D1CF-611B-9E0B-00000000F101}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055608Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:15.465{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A129E1DCEBCAB32E0686C1802FA6D25,SHA256=1802799917E0024E1B30DD25394DC6096E541AA2438677A5F1011DA8B6E5647A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055635Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.840{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D1D0-611B-A00B-00000000F101}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055634Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.840{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055633Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.840{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055632Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.840{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055631Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.840{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055630Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.840{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D1D0-611B-A00B-00000000F101}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055629Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.840{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D1D0-611B-A00B-00000000F101}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055628Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.842{8A88D375-D1D0-611B-A00B-00000000F101}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055627Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.496{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFCB3CA725D0648793BEDF34DA20079,SHA256=F500BAA70FE8843F67A0580AA31FC4384C4A4FC4D65D04E767394D9E05FD4D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076069Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:16.706{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0056B8B739A2F235271063B4A563FE8B,SHA256=213CC4B05FF4B471301C69920C2833A4189FF10A5B9C803C8BCE41C148F437D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055626Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.387{8A88D375-D1D0-611B-9F0B-00000000F101}15283040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055625Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.215{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D1D0-611B-9F0B-00000000F101}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055624Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.215{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055623Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.215{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055622Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.215{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055621Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.215{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055620Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.215{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D1D0-611B-9F0B-00000000F101}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055619Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.215{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D1D0-611B-9F0B-00000000F101}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055618Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:16.216{8A88D375-D1D0-611B-9F0B-00000000F101}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076071Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:17.841{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-278MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076070Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:17.720{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6726FFD6D1FE2072D91E89C479DE4898,SHA256=56CCE01571C13463DC529B7BB1EFBB108426671F7D3435E44319A7BD9CA33AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055637Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:17.527{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327CAEA532F9CDCFAC0E49D81D6F191C,SHA256=5D88082E47261C340110CF19ADAEF7B76E959B64FF04D55346756949E9135C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055636Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:17.027{8A88D375-D1D0-611B-A00B-00000000F101}55762592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076073Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:18.840{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-279MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076072Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:18.737{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E150B0134531BD06351A237F98D9D7,SHA256=3C823A39AE30D763F3EA6D50247737A301222458F85322D70405B81AAC402CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055639Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:18.730{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055638Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:18.574{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C193B68C1B21A477695A2957682BD06,SHA256=2B28C853FA1EA91210C7EFEA329B9BA3EBD9827AE771DC623C8C7F92EBD48FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076084Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.772{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9026C56634F81F547892DF5C1669401,SHA256=1201E2CC5DF1584259D39F8F83125807C6524EA54B52056A71722B467BD146FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055640Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:19.590{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46704B2E732A3F0343083E51BF15E858,SHA256=4127E662A6525B1FB3C32C58AA96F0D067E7C59E099993279E3E2A7FAB371BFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076083Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.556{2F630BB9-D1D3-611B-8F0D-00000000F001}68006276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076082Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.390{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D1D3-611B-8F0D-00000000F001}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076081Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.390{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076080Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.390{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076079Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.390{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076078Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.390{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076077Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.390{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D1D3-611B-8F0D-00000000F001}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076076Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.390{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D1D3-611B-8F0D-00000000F001}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076075Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:19.391{2F630BB9-D1D3-611B-8F0D-00000000F001}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076074Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:16.331{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56455-false10.0.1.12-8000- 23542300x800000000000000076101Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.803{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BA2294E552D266691957AE6CA5C0B1,SHA256=D648D9A4973E916F22AB58C10A99AB4146ED03320C3AD862C5F7FC13C3E27FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055641Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:20.621{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8FA7AD9F611621C8E2908CE9CAA63D,SHA256=567B09833ACA01BB77393AB95CFE3490108D03EB77606D6B1293C2BE61CC59BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076100Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.703{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D1D4-611B-910D-00000000F001}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076099Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.703{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076098Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.703{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076097Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.703{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076096Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.703{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076095Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.703{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D1D4-611B-910D-00000000F001}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076094Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.703{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D1D4-611B-910D-00000000F001}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076093Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.704{2F630BB9-D1D4-611B-910D-00000000F001}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076092Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.019{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D1D4-611B-900D-00000000F001}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076091Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.019{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076090Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.019{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076089Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.019{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076088Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.019{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076087Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.019{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D1D4-611B-900D-00000000F001}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076086Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.019{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D1D4-611B-900D-00000000F001}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076085Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:20.020{2F630BB9-D1D4-611B-900D-00000000F001}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076111Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.839{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8210AE36A711FDCC62117F824C924B58,SHA256=123FAEB6809675D4A8D83EFE742C16B979D14980AD9AD1B31CB51206BCD4FD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055643Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:21.621{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD21BA635D7D4BC6FAFD09FD2D88AF91,SHA256=4847207B7F2FD08D343F9EBE4D800605515493504FE30F95CFF3988E45F74935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076110Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.520{2F630BB9-D1D5-611B-920D-00000000F001}56728128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076109Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.371{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D1D5-611B-920D-00000000F001}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076108Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.371{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076107Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.371{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076106Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.371{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076105Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.371{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076104Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.371{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D1D5-611B-920D-00000000F001}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076103Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.371{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D1D5-611B-920D-00000000F001}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076102Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:21.372{2F630BB9-D1D5-611B-920D-00000000F001}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055642Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:18.200{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000076130Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.886{2F630BB9-D1D6-611B-940D-00000000F001}49644692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076129Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.855{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88BA696F68420B8AECB1BFFD0B58221F,SHA256=6AD6546962D24B1CCBF5F6A34DB6605A27A2F20D84F9D048CD4EAC82BD02E269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055645Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:22.637{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595B9F818348E8D7A2146F970C1EBA5F,SHA256=3B65D2D89A0BC8B89A5E6541AA851A1C633D6DC0B474252C00343E23BD3C199E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076128Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.738{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D1D6-611B-940D-00000000F001}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076127Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.736{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076126Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.736{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076125Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.736{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076124Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.736{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076123Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.736{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D1D6-611B-940D-00000000F001}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076122Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.735{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D1D6-611B-940D-00000000F001}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076121Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.734{2F630BB9-D1D6-611B-940D-00000000F001}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076120Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.202{2F630BB9-D1D6-611B-930D-00000000F001}78087840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076119Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.056{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D1D6-611B-930D-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076118Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.056{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076117Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.056{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076116Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.056{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076115Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.056{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076114Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.056{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D1D6-611B-930D-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076113Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.056{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D1D6-611B-930D-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076112Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.056{2F630BB9-D1D6-611B-930D-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055644Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:19.591{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076131Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:23.885{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741248B4546B9040330E05AE74D1FCC8,SHA256=60D6FFF8AB4829E87406F9D3D9F9C558368A02FFF446185A09B4690A5A1AC371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055646Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:23.668{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DD04F06890365094E99F4F9A69EA72,SHA256=D5F8E8A00BBEAED4B0001F46430C413FDC29915D31E4E842A5612C6847D8341B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076133Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:24.900{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CDC9457F2315FB51C8AC01B8126407,SHA256=B2B4B03557B203E2010387F463F96DDE943791E0866DE88BD0FF38283F65FB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055647Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:24.683{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD0F189E2B375F077CFA51B12EA3DC8,SHA256=4B4CB4AAC54BD53DD5E04D41DFA31D368805BCE94C17001053D31A4BAEF1FF21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076132Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:22.175{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56456-false10.0.1.12-8000- 23542300x800000000000000076142Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.914{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94745AF45F3A5CD1D19642662A58C1E1,SHA256=BB8BECBEAB405E99A32F0881627376DA004D75B91297D09C93EB85807C1A9E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055652Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:25.699{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A9F11A9B953752215A0728DCA9176D,SHA256=39888F77EC2ACEB72896A9C93A8FD421BE94113EAC99E593DA02FC48F7EDB476,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076141Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.115{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D1D9-611B-950D-00000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076140Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.115{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076139Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.115{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076138Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.115{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076137Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.115{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076136Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.115{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D1D9-611B-950D-00000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076135Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.115{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D1D9-611B-950D-00000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076134Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:25.116{2F630BB9-D1D9-611B-950D-00000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055651Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:25.543{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FF254A266254D3EE4087D8B2C094272,SHA256=B1C3B51A4915E359E2EAB3F4B718530912695A91BF318BD8A8BCAB03513B56AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055650Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:25.543{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=003C6810819FB8C105EAEEB7796EAB14,SHA256=2E17D51EE95F6D8AA2E0986B8D8825D2158CB9923BCA66C77D1EF700B53F5FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055649Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:25.465{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8E1B8D7838164DD7A79D35FD4D57555B,SHA256=EBE1D327F33B7876C10121C3369A99EF03D2922675396F29E71AB02F5DE93CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055648Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:25.465{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0F1976DC5F63C74659D956AE6325CD9A,SHA256=94676C74167790F075E7D1DEB544B45A23DFE6BF1A6C0CBF4A418AA3EC0658EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055653Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:26.715{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A929000C2E3D77F7ADF0D407B297DA4,SHA256=EC909C6E2EC85CBB2D8DA980B73DD9106911CD20550F5D777034DAECAF90FAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076145Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:26.932{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658E0E1E5D9909E1B1E1DC3254662066,SHA256=E8553692AAD91FC6B334B81F837753ED420BE01236DD44F2A131523ED79C9D76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076144Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:23.957{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56457-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000076143Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:23.957{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56457-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000055654Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:27.746{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DBFF44435F92B50B37482678C89656,SHA256=45D93ED9D210EB62F44414D730B0041498F31A2995DAC922CFEEF6AFC6D20729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076146Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:27.933{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06386762679B67A260875ABFE3EEDB9,SHA256=0C10F81BB2D3A17942DFF9F41A5CE386BE651890034497F2298132343C9A6FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076147Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:28.948{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99864762C33674CFF85D955CCA53225,SHA256=B568ADEE3095619728EA599C89A2BBEBBD19B27B4297815D212C8A2BAD045065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055656Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:28.762{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E4D725ACA68D338C89FA53D8DE6C44,SHA256=998C13AA8CE000D7177F018D728AF5001EBBC25901ADA6C2725DBF624C40D737,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055655Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:25.544{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076149Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:29.979{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A31C0432B645C9DA30555A6558BDF4F,SHA256=55DE178D194574FCA3176CA050A65DBAFC8F4B098E66E2F247014CEA08F15634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055657Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:29.777{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C040B4D92B82CE606635F3CCF9C04,SHA256=44EA1ABE16C6EF3117B89474601A50DED2E6D22C947B913ECD39FB2459128E25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076148Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:27.369{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56458-false10.0.1.12-8000- 23542300x800000000000000055658Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:30.824{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A764AA0A71A6DD68FE89299E8996C2F,SHA256=D9397801ED42C4CA2F2E410263A539D32B2424E804DC3085FC727218F3C9C62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055659Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:31.918{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2514652FE811A701C7EBB9D0DD0B64D1,SHA256=1A54D38D7459A7DC230FAAAE0C05566BFA2E2B6014473BB38A9EC1D7F972BCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076150Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:31.009{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B855D538093008CDD1781164B500DF25,SHA256=45B377236009FC07019552A48C999BE231AB1E6AAA9D1D8DD8E4E5166D5D4067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055660Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:32.933{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D559A56A8B5EC6789C760612F58C6429,SHA256=748F3E7A890747B3F94686580EDC1B9AE5599F1A856CCC5CE6F1B8E167CCA11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076151Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:32.027{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58E4390AB415DCCEA1DAF64DCF74A53,SHA256=067348B3243F730F7B7DD1370CC250E4C5C697A26EA60F8EE3568D1A06131522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055661Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:33.937{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6013B7890C40C67928E5D9274516E0,SHA256=F599861C3692874E21116CAEB03086808CF94154C4BE7644B499316059213890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076152Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:33.044{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1F9307C18BB3039CD5B82B4AA77841,SHA256=D848B0B9ABCFEAE33CEB02900DE0DD00EB743C3A790423CBF78255C6C869783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055663Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:34.937{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B9E3F80593DFBC45DC9FD979864E13,SHA256=719C40BFD2A8FBB1E81FEF8EC444DCBEBC1AAED2ED3F0D67E494C6C3D63064D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076153Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:34.074{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC91714C0D720B2E2E9F9F452272942,SHA256=6073570D259235585479DFC05C491F14A70F5D866AD2A70D0E1D74F449D83085,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055662Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:31.528{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055664Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:35.953{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B26CCDC729011135A4EB506DDCC104B,SHA256=399D7BF3554B4E25D18BB94583E0CF450CFC200840376528A03B4A481A83E141,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076155Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:33.347{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56459-false10.0.1.12-8000- 23542300x800000000000000076154Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:35.104{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDA1F4E7DC9EF4112CF2A91A9C8447D,SHA256=107C349C3D4B51D8D7BE748C8DA3013A22811DA1F60A2BED6BB3A02453771FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055665Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:36.984{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32B05DB688531CF630864B81293367D,SHA256=96BF6D6DB798DFB88B12B92343FFE256745916A2C44C02AE4A5B37DCC12DF19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076156Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:36.124{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3587865087BD97E5F51F201CB78F3CDE,SHA256=D3BE24F7E5F7A0456CB5E056F4BC02E85D90A3F99C61A0F6101C11F3E4492186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076157Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:37.139{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6511224153EF61352774A283E91FA5,SHA256=A75B469BD1C59274E6BE4EBC125A30C57801BF099559309A303806DDEBE116B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076158Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:38.169{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E18976CCEE0753B818AB317E9E1F89A,SHA256=47D586665C20A2A59B138DEDA79F5240A5631620DD9E3C083E9CACBB01D89CEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055667Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:36.208{8A88D375-90A2-611B-1000-00000000F101}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.82.111.71-62629-false10.0.1.15win-host-316.attackrange.local3389ms-wbt-server 23542300x800000000000000055666Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:38.000{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603452C2B905D6B2AA261016B252797F,SHA256=CEAD3F2BD4BDD57ED06E8BDA74316E8C4A20AD7E083A5608C994468E31AED7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076159Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:39.199{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCB83C3F1D4A558DF6327DB41B0ACCC,SHA256=60932471AAD5C3D2A2B6F87F57C477242D874A56D5FE76F32616A054C925B02A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055669Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:36.626{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055668Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:39.015{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D325B63AE629A2C5B0F090AC39FB8145,SHA256=DAAAB50FFAE13ACF9AA7C8E0E0E4C0D349AF5B38358903BCEE4A80F3AD405DC6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000076170Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000076169Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x010697c1) 13241300x800000000000000076168Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79371-0xf00b90e8) 13241300x800000000000000076167Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7937a-0x51cff8e8) 13241300x800000000000000076166Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79382-0xb39460e8) 13241300x800000000000000076165Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000076164Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x010697c1) 13241300x800000000000000076163Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79371-0xf00b90e8) 13241300x800000000000000076162Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7937a-0x51cff8e8) 13241300x800000000000000076161Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:12:40.436{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79382-0xb39460e8) 23542300x800000000000000076160Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:40.236{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB64874E156A3B99F51A1F0984D030E4,SHA256=2BC40F7DC76CAA2B699F90D2FEB174C2F963D7EED0A8F5C7D638F760691C28E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055670Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:40.016{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080EDE3CB32A83EF3DAC551736A75D98,SHA256=66726D33F57E76F625FCD1132A0A7DBBAF0F24FA57ADB21391BEAE902586DA47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076172Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:39.309{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56460-false10.0.1.12-8000- 23542300x800000000000000076171Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:41.266{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3747E657C84C399CEA9EAEE88723E00F,SHA256=0DCECA7799EDB9BA6CF1D0F3CA63A4D8DED9F441747BC1128D33463D9ED4E24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055671Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:41.031{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21CAF1B2855A4FB7636695B574ECCA0,SHA256=E7F9D6C3F40EBB21BB69748C5340E9ED2658CE31EAABB722E005297A0354A8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076173Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:42.281{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460A55D3A560152A645F58C35CC81EF3,SHA256=EAC0FF97E401652C5357ED06302C21443132BB3391B614D9916A452B83BFAA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055672Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:42.031{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A851A86EC4B5EE2DF3E69979E619FB11,SHA256=2B364028BD3CD65B6B625D44B0303ECA2FCAE0CE1F0F06F81DE910BC5CF615C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076174Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:43.295{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9555E59B6A83E1A77BFE51E2652FC0E8,SHA256=B7AB99BC17BD95A2F64D8D9A784950167D689252DCEFE5004B84B0FB3290BBF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055673Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:43.062{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F6FBAEAC8BC351F78B9F9C0B690641,SHA256=924A9C67D4C14B30BDFFFF86DC5313B4E4C85ABC7DFCC5B7A752EF98151865EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055674Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:44.094{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D60995792314ECC5AE6252C71B3A61,SHA256=F0449C6ECF06BBD29C8F80C56AA0D09F0728E7E4C159B4EDD1C04F6A2209C1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076175Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:44.313{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67E62971A7AF50531E772F4315BD782,SHA256=91DECCD99D4174939E7A0611F2FB7B15A8B7BA4BDF3D6FC22A9359D37B277CD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055676Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:42.657{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055675Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:45.109{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E05B9A67FCFDF9AD179FF9E2D6B67EB,SHA256=4C4C98562B2F015E7FDD5EC2BBEEEA416E58D291F2A3F01D897F0AB3B366EDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076176Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:45.330{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE27E9516EA752EEAAE65346A3BD2540,SHA256=6BFA6CDDE4A493503C5B368A46D267EF4204DCEC6A4E21FE2EAAA9F15071EF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055677Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:46.140{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB688E5E2607B386DFF70F244E6BCFC,SHA256=62FCC37B8F194E394C7C4480926DAAA5461D42E7435C131756EAE7586E709A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076177Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:46.360{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB1DEE8F7511A31BE87E50D0CD0CAAD,SHA256=84D55CD377D907ED41C443FBDAC8C0214BBE8CA1A1478DEE076B565D1F532C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076179Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:45.287{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56461-false10.0.1.12-8000- 23542300x800000000000000076178Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:47.375{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61EF7FC57937F47E31A078E05B6C5DA,SHA256=7AC6D56A8F0DC72EABFC79033C761C5ADBFD58651226BD735D125DA3F7904124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055678Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:47.156{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D548A204FB1E65DD9380556BBBA24974,SHA256=BEBB81179E681C78179748F4997BB54D5DBDE447735EC5E05E2ED333E23506D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076180Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:48.390{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC050CC5C4B90D8C29D97E3177A2C0B,SHA256=A1547AD5B2EA8936D9083AFDCDBF085D348B280B20DD839493AB8263321FDE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055679Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:48.187{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5BF59C1B2446D4C66D2A866E8A1CDD,SHA256=4BCAB8BA5DF9A33DE963AD63226E56329225714572C640CF4F1649DB0B753574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076182Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:49.427{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BC8F4DD75FC816386BCB834385510D,SHA256=E47287C6EC9DF5C3289C4ECCE80D2CE943EDFF04F303DFE24D89A0C3A6623095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055680Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:49.219{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F31E4A1C4B12A4B58C475B6569A6A90,SHA256=BB270DE04ADB69513A0D6D6B8D5BA5CAD8A861D43B9FF5E328160961EEB6898A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076181Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:49.127{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055681Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:50.265{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BF9C6B243E490B23D0AE8E610037A9,SHA256=3440726AF7916B4DC651FE7A4EA54F88E07DC904CBFFF3BEE5537C70F914CF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076183Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:50.472{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA0D7801B74D62C3CE7DFDE1EFBD342,SHA256=8E003B29EC2A713C3A136F669410BFD8CD0307D435B315DCF5D9A5DC4FECAB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076185Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:51.487{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13045B02B92F5DEA2A5714FA0EA71C9D,SHA256=45AA1A63C5E5A48DFB2AD60080390EC19FE7A4BA18D3DC7EFB7C34ABA027ED66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055683Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:48.704{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055682Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:51.281{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784E9BFCBE45EF006D7518C2836ED20D,SHA256=5F5E18F55B8C7B8883A9A12BA9E4B41619D976FD117D17A8F7A2C7A43B48DE87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076184Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:48.247{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56462-false10.0.1.12-8089- 23542300x800000000000000076186Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:52.554{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B776A53258495A888831E9C90314BF2C,SHA256=958DFB0D4DFD2779377AD6A889289737B3CCFD6C34C726BF26BB6ABD374D4BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055684Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:52.312{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF63C21F7B7003BB9CACA72F490D52A9,SHA256=2C5C9DE78C9E30CAB2DA6363F1E257A7B417C10BCA9027538ADB2FB28F37ED04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076187Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:53.570{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E708A86A8D86CF89CD2FE0EFABF9C7C9,SHA256=098B00716A31F93F38690FE161567B9159D4CEC6D340A7F74932F711FD008C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055685Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:53.328{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61716005329A318421E1BE83E8EAC60,SHA256=34EBE256EC0989B4B45143ED1C91D9634F5226AEE70BDC427987EA7DF2F1660C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076189Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:54.584{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C1B76ADCBA2886E0341D9C536898DA,SHA256=06DFECB8ED55CBD13ADE7782AC5F4261FC3D4A7F86D99717CE2A5AA249F0D346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055686Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:54.345{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABC4EA95E75604C1ABEA1924F83975B,SHA256=401DFBB58C75049DF9E6AD718D842D1A4FBB0EA95C2FE76C9E158FA9A6E0DED7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076188Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:51.197{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56463-false10.0.1.12-8000- 23542300x800000000000000055687Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:55.376{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49F65A68001760F42DE2D3B144B01D0,SHA256=6CD80BC0E05790B214F2F02F705794CB3D5CC87FA9A3F4B97038D99F7820B74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076190Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:55.601{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D86E0D764CF91267FF4E062365A6ECF,SHA256=7727B69712F5A201C63A7CA5EED31F79429F96A3C10FEE4BC881B4791FA7AB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076191Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:56.619{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967B3DF337CA63AFB23ECA7C8424CE85,SHA256=C026F393505D91136ADE72313795F2ACD40552BD7AA5FDC201BB536E8003EE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055688Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:56.408{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F2E31BC883D036D21574DAFE417CA4,SHA256=3912D3F95E092FA13B3147BDD6FA3A80F7E9A0EC48FE8B174211A46E97200327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076192Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:57.633{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4D51D032E509687346E3D070A9DED4,SHA256=8AB7DD7751C383358BED685C16D9AA2BF4EE7719ADD9E2FEE71DDDC4214449E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055718Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055717Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055716Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055715Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055714Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055713Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055712Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055711Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055710Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055709Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055708Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055707Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055706Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055705Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055704Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055703Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055702Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055701Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055700Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055699Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055698Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055697Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055696Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055695Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055694Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055693Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055692Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055691Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055690Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.767{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055689Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:57.439{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8058ACB033A1C8442D54AF66E86015E4,SHA256=57E0406CEC87A63FA03DF174589B8F3205BF080F8F96B29164F686AD265B95B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076194Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:58.679{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4CF2C0B14837689CDBE8891E21901768,SHA256=E2A02F507B67EB80D5A742144FAC4F70B79E43EDE8A8CC43C474EBE2A0CAE741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076193Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:58.648{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575E7CD1F39115922B96AF0201C873FA,SHA256=D42DDAFD4FD977BF34232EFA7C0E69551D9063A247B9D71C46D6F715F2D93F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055720Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:58.673{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552C41636479FFAD44537AE6D5867B30,SHA256=F64BDEA80A9BABE772FB7D28FB6F830341B888043681F5DA9B6584F2B7514435,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055719Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:54.549{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076196Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:59.677{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F78FE84477F1CC7FB4C1CA69B289A74,SHA256=D194A50745976EF0B1FCACEBAACFAE642E1360C58B286898AADFA224A072BD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055721Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:12:59.689{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FF4499DD5C099DD5FCB73017DBC278,SHA256=221FB7A1AC057C49CFD675961FE0F8EA405C3EB23825199654ED544A8DDA0883,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076195Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:12:56.323{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56464-false10.0.1.12-8000- 23542300x800000000000000076197Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:00.713{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E4143A9F6A3989A249B355A278DB05,SHA256=09AA2223510091882D424E2B3845B41E1340F723DB7E1197AEA52705E801C987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055722Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:00.705{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC16C1398F9A0648F80748FF32DEA9C,SHA256=1DE0222EFFFE01372925F1AA23CFD72E123437A588FA0227D2AB9BE43C62DACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055723Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:01.720{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56D73AE5AF275561C47906A92F4DA99,SHA256=59E7028DAD3578E4647BDABB4D3CC6AA29A1350B86F26EB8AB152ED98F54336D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076198Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:01.743{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7431D103325E34416DE2819A9C01A36B,SHA256=524F31067CBD1DD9D2E357D87DB9CF7470710E6F44A13213564C60217CB6F50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076199Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:02.744{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5D35E86AD92B7BAF2347B9F44F0028,SHA256=C94A9103BBF053B2C7C09B32F461B692763E89F6D1BBF79EDB121E7ED8182DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055724Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:02.736{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A80AC17E1A73AFA0BBFF53C2F3FB4A,SHA256=96E5715BF85F09972151239753B99EC71BCC8AA31AA8513DADEAB87FE605C9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076200Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:03.774{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30FDD7907A3B53E990B4DD9125A8F23,SHA256=0E4D3AEB70FC91F09117C424AA3A91E8F8D1FA1FB528C5192D12AF5736F0F2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055726Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:03.767{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D23EFB693C319FFE42AD08FAE376821,SHA256=F71C04265EA9DB135041E70F1039E1DCD56F64463BBA4E9E2568379E1972D1B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055725Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:00.534{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076202Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:04.811{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2741E703AE6B35CA331A92B3AE9CC780,SHA256=3F7EB1D2C8F9A47660F15BB630B015DABDADCDF8865143822B00B635A396EEA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055727Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:04.814{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09A05BC749040E9B666129E59639E81,SHA256=18F5BDC3653EDF83E64C732BE217FAA937CD3E943BB6CCD0C4CDDBDD47851BEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076201Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:02.232{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56465-false10.0.1.12-8000- 23542300x800000000000000076203Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:05.841{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1AEC803A767636DE6266ECCC496DE5,SHA256=203F11E0623F58BC00E2543FB345488805C2739C95022ACF2FB2545ED633BCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055728Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:05.845{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA0EBF3F8E1A0A06FF31E319A37DB13,SHA256=DCFBCEC1813D299E715732A54E5E2278EF0A8BD27CECB73EEA87FEAE774300F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055729Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:06.892{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D0C5722F014EDB1A8BCFFA148602B2,SHA256=45E61431E81FC084C3D25D77EB2723B481E562EB232D2AD621EF629920C0CD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076204Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:06.872{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39151F7D4620CC2C61900649F072FB2,SHA256=A01CB3DDF8D5E96B56380790435A784A9B02137FC4B03217BD286B0EA6DB0A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055730Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:07.908{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C117D1DE758261B56125C0FA68F9C9,SHA256=814DFA6086352E2C26ED64B8ECC2DBC9BE67787ECF31014A91429ADF4BBF1F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076209Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:07.908{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73489E90E7C25D19968DB8CAB301B4F6,SHA256=3A1EFF4E6BEB85D0A256FC6D77B94C6C9C1E61126C0E71611CF7B14F76FE5768,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076208Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:07.588{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000076207Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:07.588{2F630BB9-C74D-611B-120C-00000000F001}4956716C:\Windows\Explorer.EXE{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AF4618A8)|UNKNOWN(FFFFF55BB4CA5B68)|UNKNOWN(FFFFF55BB4CA5CE7)|UNKNOWN(FFFFF55BB4CA0371)|UNKNOWN(FFFFF55BB4CA1D3A)|UNKNOWN(FFFFF55BB4C9FFF6)|UNKNOWN(FFFFF802AF179103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076206Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:07.587{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10701c5.TMPMD5=5DC7F12925A3AFE1350E22C4D18895D4,SHA256=C9B1BF1A545F85BBFF7598EC849E260DBCB3503CF53B1AC3CC4FEE256B700E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076205Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:07.240{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=CAD63A81620EDAE85BD44774996C3E0C,SHA256=7D26FE29F488CA9893B6C0A86612DB204AE9E301DB12ECE23E3E99B5331F421D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055733Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:08.929{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-271MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055732Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:08.910{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F55AD9FED347C1860233C455C242EBA,SHA256=588A965E58FF4ABC0E1CDF807C6E5F03E81202441779EF5B6C87856533DFE530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076212Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:08.923{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FA25D7B0309FA1A020CC49687DF1A3,SHA256=3356D21674C77193FD97FACC8BC5B7AC63B899604B074C99403314A659F85C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055731Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:05.705{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000076211Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:08.570{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076210Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:08.570{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055735Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:09.928{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-272MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055734Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:09.911{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212EDBD00A25E655AACB800FA252CADA,SHA256=593866C42355526A7204064690EB6685642AC132A135FD9E6889C31E781AB8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076213Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:09.937{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C0D3B58319A2EAC224ABD8E1DCBC27,SHA256=4DA1779802C2336D47C8455F2B259F49D26DF4190CCE96A397E7A992E109231C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076215Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:10.967{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3CF94F2907420D50871B2432EF7A036,SHA256=BD703EE783BD21D14B293BFE09CA311DE0166DA7241B21693D1F04C5D3741F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055736Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:10.912{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAEE85D20F208519896FFD2A7CA9771,SHA256=183A0B411440F2247BF33A98EA7D3A565AD36C09DD200995A938DCE8DA4E5D13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076214Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:07.396{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56466-false10.0.1.12-8000- 10341000x800000000000000055745Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.959{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D207-611B-A10B-00000000F101}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055744Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.959{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055743Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.959{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055742Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.959{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055741Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.959{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055740Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.959{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D207-611B-A10B-00000000F101}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055739Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.959{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D207-611B-A10B-00000000F101}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055738Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.960{8A88D375-D207-611B-A10B-00000000F101}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055737Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.928{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F305B1BA290E204AC2C932AFCDFB31,SHA256=30CD49FA721125F0F3914DED0299375E833E797F0C8AD7756998FEAB4A0602DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076216Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:11.985{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F917C824ED3757509BC076F28FE74,SHA256=899696335F075A2F031299ACDDBE85147426E64FB6F0E43BFC45CD2B1A2951B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055755Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.944{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B7C434EC8AE87E3E811B22E8A3FEB6,SHA256=00148FD399FD5E3021586C6CD75F17CFBAFF644B248A14530F29EDD1A0E31B4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055754Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.881{8A88D375-D208-611B-A20B-00000000F101}1944172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055753Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.694{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D208-611B-A20B-00000000F101}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055752Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.694{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055751Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.694{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055750Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.694{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055749Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.694{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055748Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.694{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D208-611B-A20B-00000000F101}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055747Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.694{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D208-611B-A20B-00000000F101}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055746Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:12.694{8A88D375-D208-611B-A20B-00000000F101}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055766Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.953{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBA6ED1175884A59C58043188BA328F,SHA256=60D693EBB907C475A4B23433BE6F0A0DA25DB896118ADB41046FD3DAA0EE65D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055765Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.506{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A5EF02B0841CB08BC7BFDF0C90E4A775,SHA256=C33EEFE6CFA9CF8A91704E46AE863BC24A1B82936BCE4CAAC77C683BDD7B6809,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055764Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:11.585{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000055763Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.365{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D209-611B-A30B-00000000F101}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055762Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.365{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055761Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.365{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055760Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.365{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055759Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.365{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055758Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.365{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D209-611B-A30B-00000000F101}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055757Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.365{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D209-611B-A30B-00000000F101}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055756Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:13.366{8A88D375-D209-611B-A30B-00000000F101}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076217Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:13.003{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC768EF1582CD658506724AAE979C32,SHA256=96A1D457355D16554BE2EC315C35F75B4F80E3E2E28235B499F6FB60FA7B1500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055776Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.968{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762300DBA85F51A0FEDB1807151AC722,SHA256=3F07E21862B5BF1C25140416466F9AD04F1CF228130EF419A53CD755EC4A1516,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055775Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.203{8A88D375-D20A-611B-A40B-00000000F101}47964440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055774Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.047{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D20A-611B-A40B-00000000F101}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055773Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.047{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055772Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.047{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055771Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.047{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055770Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.047{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055769Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.047{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D20A-611B-A40B-00000000F101}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055768Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.047{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D20A-611B-A40B-00000000F101}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055767Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:14.047{8A88D375-D20A-611B-A40B-00000000F101}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076218Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:14.018{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9CCB30B040EA45341FA62442B0C0ABF,SHA256=80F602C8072792C3C62052404E5AE02136904BDAD653D8C9098EF50E680AC4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055786Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.984{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7686CF4FEE31B9FD73958F71EB74B0,SHA256=0EA8667C00B0F888A13185C17B2F033A8D0A284A7DD0D3628B7797B5386675C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076219Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:15.049{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045F7C1BACCA276DE61E1BBAAA7DFD75,SHA256=91F15D5C77F60F5FB0055761A543976EBDF1235026B0F928E247FF502B3EF7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055785Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.907{8A88D375-D20B-611B-A50B-00000000F101}43402856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055784Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.703{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D20B-611B-A50B-00000000F101}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055783Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055782Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055781Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055780Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055779Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.703{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D20B-611B-A50B-00000000F101}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055778Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.703{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D20B-611B-A50B-00000000F101}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055777Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:15.704{8A88D375-D20B-611B-A50B-00000000F101}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076221Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:13.322{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56467-false10.0.1.12-8000- 23542300x800000000000000076220Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:16.063{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9E01686E3F470AF0E19B90B7094F82,SHA256=E459A996E1A57700DCB3F37F92F8CCD43AD468E772D088E52C173995B21C2CBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055795Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.547{8A88D375-D20C-611B-A60B-00000000F101}46481760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055794Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.375{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D20C-611B-A60B-00000000F101}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055793Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.375{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055792Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.375{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055791Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.375{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055790Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.375{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D20C-611B-A60B-00000000F101}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055789Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.375{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055788Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.375{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D20C-611B-A60B-00000000F101}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055787Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.375{8A88D375-D20C-611B-A60B-00000000F101}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055804Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.047{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D20D-611B-A70B-00000000F101}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055803Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.047{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055802Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.047{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055801Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.047{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055800Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.047{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055799Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.047{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D20D-611B-A70B-00000000F101}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055798Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.047{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D20D-611B-A70B-00000000F101}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055797Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.047{8A88D375-D20D-611B-A70B-00000000F101}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055796Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:17.000{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986EDD433CB126903408432D6168FB36,SHA256=E20256990ECD72DF714DE9DF61F7E84304DE0ED4F72B1EBBD4330360D2F694C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076226Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:17.961{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D83292825287C5EA8B75C4D16C883548,SHA256=D85D8A666FC5AEFC8992B014089294F5285305B2B12ACDB4D53C029FCA99B5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076225Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:17.961{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE176543C44EB978E885EB77DAFCB769,SHA256=6EBBA66AD6A7EEC95216D6C43A3ECFEC7B50346D4BECEB614F010FAFA2EA575A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076224Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:17.084{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4470C30CF8284350E31AEE45145FC1CC,SHA256=D223B7CA23CAAC35B458C157E1C66DA2D07633A4F8FAEAE01DBA6AC34DC04A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076223Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:17.084{2F630BB9-8EB3-611B-1600-00000000F001}1304NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=7A19EF82F55BB623B671C86E33DBEC24,SHA256=AF2474F6DE12CEEF92B111A8B337DE951E3881DC21189420343D38F481684FD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076222Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:17.062{2F630BB9-8EB1-611B-0B00-00000000F001}6324720C:\Windows\system32\lsass.exe{2F630BB9-8EAF-611B-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000055807Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:18.750{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055806Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:16.625{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055805Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:18.015{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EE6E1E198C740751FEFCACAB98AF31,SHA256=9804C1653C346D3E9192C6DDE8603C4D12110A69F863CCCD99753F52FE3CAD53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076235Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:16.208{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56470-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000076234Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:16.208{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56470-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000076233Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:16.099{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-86.attackrange.local56469-false10.0.1.14win-dc-86.attackrange.local389ldap 354300x800000000000000076232Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:16.099{2F630BB9-8EB3-611B-1600-00000000F001}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56469-false10.0.1.14win-dc-86.attackrange.local389ldap 354300x800000000000000076231Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:16.091{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56468-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076230Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:16.091{2F630BB9-8EB3-611B-1600-00000000F001}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56468-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 23542300x800000000000000076229Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:18.183{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F07DF9BF33C34A38C6D897E76F5A7822,SHA256=D3AC64EB97FEF5AF0BD861EC19E6B76461CB577A6C63661798FF8F2703DE75EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076228Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:18.183{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA6F6A1E8A84DA8A3F96D63DE57F0988,SHA256=F0978B542CAADD08AB1E3CA9D7FE8D607F1966126AEEF3C96A9F3060D65BD776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076227Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:18.099{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17E07D40FC67947AC5FA2EA607688B8,SHA256=BB158EE60F9C1E3EA771135E2BC9C73C8962E550D4E8EBEC3A6CCF3D8B9161EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076245Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.382{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-279MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076244Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.313{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D20F-611B-960D-00000000F001}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076243Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.313{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076242Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.313{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076241Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.313{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076240Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.313{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076239Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.313{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D20F-611B-960D-00000000F001}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076238Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.313{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D20F-611B-960D-00000000F001}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076237Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.315{2F630BB9-D20F-611B-960D-00000000F001}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076236Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.113{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735499AA4EE15697C7F75BB0EE293150,SHA256=63E23937BEE7FB3611EB9E7A2C3CB8AE43A4E341D2D86DAFD50F2ACC2B7FC7B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055808Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:19.031{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D90B0A54AEC049BA9469372D5D6AEBE,SHA256=6EECFCFE8E3563C42084AF9A8EAE00FC1B351E615581BEA98416CDB98310C504,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076265Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.679{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D210-611B-980D-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076264Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.678{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076263Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.678{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076262Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.677{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076261Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.677{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076260Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.677{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D210-611B-980D-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076259Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.677{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D210-611B-980D-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076258Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.675{2F630BB9-D210-611B-980D-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076257Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.376{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-280MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076256Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.144{2F630BB9-D20F-611B-970D-00000000F001}23005280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076255Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:20.144{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9E129400C7147ACE6398F303A034A0,SHA256=76E1427E59045B56112A1A72B81A8401C063E9634E79C4B9C0445BE0DD43B458,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055810Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:18.219{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000055809Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:20.047{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D4FF23F42BBA7BE797C2F0D17EEB4E,SHA256=DE2EB3D7C2C38A5E25E49E4737C1644B472920AAB69D886F5B123E533F0EEB56,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000076254Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:13:20.078{2F630BB9-8EB3-611B-1100-00000000F001}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7937a-0x69c8894f) 10341000x800000000000000076253Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.997{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D20F-611B-970D-00000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076252Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.997{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076251Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.997{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076250Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.997{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076249Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.997{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076248Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.997{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D20F-611B-970D-00000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076247Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.997{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D20F-611B-970D-00000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076246Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.998{2F630BB9-D20F-611B-970D-00000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076276Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.201{2F630BB9-8EB3-611B-1100-00000000F001}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-86.attackrange.local123ntpfalse169.254.169.123-123ntp 10341000x800000000000000076275Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.496{2F630BB9-D211-611B-990D-00000000F001}5192620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076274Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.343{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D211-611B-990D-00000000F001}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076273Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.343{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076272Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.343{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076271Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.343{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076270Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.343{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076269Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.343{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D211-611B-990D-00000000F001}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076268Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.343{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D211-611B-990D-00000000F001}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076267Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.344{2F630BB9-D211-611B-990D-00000000F001}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076266Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:21.159{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE1A7F3A5280495CB2A7E42B8085517,SHA256=459AF968982709A8FC1B1FBE785D85E053C311C7800BC1410093612F2CA1EDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055811Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:21.062{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC4A842914E3D854AE120493A30EE39,SHA256=470896EBD92BB338677C718B3D71FF13EA2E86BA90C30495976817847BA3E1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055812Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:22.078{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BF44E10A3996E6785744669F8457C6,SHA256=D1407CB302E8F7585BEB50159EA4BA4793F3AB5F309BAE123F185BA028212650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076296Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.811{2F630BB9-D212-611B-9B0D-00000000F001}54965132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000076295Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:19.201{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56471-false10.0.1.12-8000- 10341000x800000000000000076294Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.658{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D212-611B-9B0D-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076293Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.658{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076292Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.658{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076291Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.658{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076290Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.658{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076289Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.658{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D212-611B-9B0D-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076288Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.658{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D212-611B-9B0D-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076287Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.660{2F630BB9-D212-611B-9B0D-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076286Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.180{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174FA0E3FA6228E2FC204069162BE9E9,SHA256=9EC2228E97884364F4FDDAB4C663B1941DE87A586A663BC48191DD54B51BD0A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076285Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.143{2F630BB9-D212-611B-9A0D-00000000F001}64405152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076284Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.011{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D212-611B-9A0D-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076283Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.011{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076282Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.011{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076281Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.011{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076280Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.011{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076279Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.011{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D212-611B-9A0D-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076278Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.011{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D212-611B-9A0D-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076277Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:22.012{2F630BB9-D212-611B-9A0D-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055814Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:21.625{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055813Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:23.093{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FF8A888344F2445FF00BC556C764D5,SHA256=AC86CE548232450D9FFA2A300EC882939209640550E922BA012EC0E4F9D65FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076297Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:23.195{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C630CC6DAB1C368F23DB36D032F1A9EB,SHA256=3EF37FD88A234AF9B0A4B952B8890BD8CAA62FD8294ED1DA384EC5F51EEE7328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076298Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:24.225{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1328219543AF50AC514093B8C4F8E61,SHA256=46CFEF5A4E2337757AFF7D9EF0416C6F16C16F5811403238606E4D13CE5C9C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055815Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:24.109{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B7F53A90828EC5C52F958FB2FEF1F9,SHA256=E4C93C370B25BF6843DD26E66F363731F4E300EB954AAD5B87FB34BE72BC5619,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076338Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076337Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076336Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076335Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076334Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076333Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076332Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076331Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076330Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076329Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076328Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076327Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076326Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076325Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076324Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076323Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076322Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076321Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076320Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076319Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076318Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076317Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076316Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076315Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076314Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076313Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076312Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076311Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076310Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076309Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076308Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.339{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076307Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.255{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570C1978C376F86D086CE5A884EF8616,SHA256=1F5B00C0A062ADA1902E771A8F6A27F89FDE118CD82EBD32BB0F069CF2851962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055816Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:25.110{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAB78664877092817A39A94768AC1BA,SHA256=4E50FE279EA8DFBCE74D2DB207F48E312E23B6BB655940D2B48C2AFEAC15C861,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076306Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.124{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D215-611B-9C0D-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076305Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.124{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076304Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.124{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076303Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.124{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076302Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.124{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076301Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.124{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D215-611B-9C0D-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076300Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.124{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D215-611B-9C0D-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076299Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:25.124{2F630BB9-D215-611B-9C0D-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076341Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:23.966{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56472-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000076340Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:23.966{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56472-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000076339Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:26.653{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB7738D69015920FA4A3D4F48112299,SHA256=CF13CB45F9DE9A0AC76D1A667806458B16EA0062FCC4A0064BCF1738E100DBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055817Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:26.125{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B834DEC3D87B7F98E14992EAFC8D42,SHA256=895DE3F236BB4D68257A9EE827606AAC298B84E89E9FFBF1A7E248A09D371431,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076343Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:24.234{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56473-false10.0.1.12-8000- 23542300x800000000000000076342Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:27.689{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90C511DAABCF408419F240CE3698281,SHA256=181EDEE551E8B25621696C6EB2C884274534A48AE52FE4DE6D6ABACDE59B0D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055818Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:27.140{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C8C7BF74496CA7E9E23430DB5131E2,SHA256=FB637036E75F7F8E8444226CDF975B46F9FCD5887879F549415BE9B413477DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076344Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:28.750{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0D89886D5369C9E41C94BFE5AB3F6F,SHA256=ED71E8E8FD69DCD9A1F6383700DCB9F662760C45183B08C9180FBBF9160F4348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055819Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:28.156{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDC1EA457F1258FBC96A9510ABC73CD,SHA256=B8E35B818A019B24D008279BA72A99F9B824CB89860435C18F0F54A6E8059F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076345Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:29.768{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7658E18475FB4B6E967AA44B95EE3FFE,SHA256=BD184F91C98C9F57DF98230DDC7D38D1480FCD4DEE6A0C5CEE9EEDD5F58D8FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055821Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:27.594{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055820Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:29.172{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC8611B14C71F8FC6326A377F3E911A,SHA256=2F500AFC975DCA7E4B3D24703187A8367E8D5C9D3E6AD7E813716913CF4C6113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076346Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:30.786{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B104320CA3879B7B68F1A32125DB4673,SHA256=EADF1E7228B524231276C557D59E444257DA3E09FC973A0A8078067AC675FC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055822Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:30.187{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1AB01D430B75793A6C20C9410743F1,SHA256=7D8FFAA292A2F870CBC6378268122347A2EEF676D06B3E5118BC1C9AAED7EC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076347Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:31.816{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F061F48583B97980393359B069FD3851,SHA256=8ABF86C7BCE9C0248CB336128A1E2779801ED6928FF7553D76793DA7DC84721F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055823Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:31.203{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAE896F0E7BE0ED13A4F606CE6B534F,SHA256=F359212F5F729FA0576D4A29CA2844AFEE6F9CB35662760FF25C98D28BD9DEBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076349Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:30.258{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56474-false10.0.1.12-8000- 23542300x800000000000000076348Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:32.846{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B087D62D8E830D0826F81AEF04821410,SHA256=13FD052DCBE8B8CF3561DD02956BBC25A6B685CD429131B52D2ABFD17F07EBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055824Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:32.218{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDCA0A7E611B9F116EC10F9FD6FCBEA,SHA256=C7438FB5ABB09630AA901CFD3912BEAEBBF8863464E89771AA2A7FECD8001CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076350Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:33.856{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7680189FFA839341E8513C7B210386DC,SHA256=925D2A23DC5805BA0E0A6ACE717FEB6A5F694934E4B082B8BDB5A26701FEDC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055825Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:33.234{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5683589F8B6F61DBE9C53AEE1CC6FD52,SHA256=FD3139C880BBA6B2A6086292237F5EA98404D66C6D0CB48CA81D0A277A4F3AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076351Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:34.863{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EE0AB81C64F55F8224181DD814E8B1,SHA256=5427B3DF7FD853340B8980D84F5F9F690E0A4E5E60F73561C32289704E5F8A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055826Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:34.239{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55779AB464FEC6C08D2F2A2564989B02,SHA256=4DF91A3846B72C5A2B3893FBDDEF15D7A26694D24E323A00E59688237E8F1EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076352Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:35.882{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8755711B8A9A315D5F40696BB33C6D,SHA256=C0919D1F60EE7054299E20C6B0B94967F72A575E8E39071005540F242A06A4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055827Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:35.255{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3207C83F804970124C061B0EE3E38EE7,SHA256=7AD58ABDFA00FE74A1AE22709F92B465D821A7077654C7B23613A9FF2079B0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076353Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:36.896{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D087131C7EDE86EB97A9C1CFCFC5E0,SHA256=F2D105B600EEE5E98E4EF86CF672CDFB66619E8FAE3D03CD31AA603E08FABD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055829Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:36.270{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAC1F23A13EF67B8BE5D2CC297B1759,SHA256=3A5997D14037EDBDC6364CF995B6487D644D924719E3CB5E561B90ED717D11F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055828Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:33.536{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076354Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:37.960{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4DC3C6C5A6484707CE973753D6995B,SHA256=168C0389A70E2EA0A8BAA21C2006607A151A6D9CA1DE010EC03859DA1871BC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055830Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:37.271{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D795B4BC69EB97F1282046C9EE67BE49,SHA256=8153AE4F350A8648A69C6370EF67AAF26E2F634CBE01B034C0639A81D8960705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055831Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:38.286{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B251DF6B54933BA07BA567B74658DC,SHA256=E10A24091EA22D572842DBD1AB57D6C75073ED3DEBCC4D4EB9F4D260A1C17C56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076355Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:35.401{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56475-false10.0.1.12-8000- 23542300x800000000000000055832Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:39.301{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6524A05A733EC207AF8138A0C5EC435D,SHA256=6D473635DE4F9D60D097B3A9F1D871A4804833EDE3D720678C96E0AF9268ECE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076356Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:39.026{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881F1611125D26258F19C8C10BAAD724,SHA256=59D9E22E4A00894D0B8FB3010D02E3D14910B0DAF89104F6B07B355E216ACDC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055833Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:40.317{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2657BB1B702C997E6CE65DFE4F6D585E,SHA256=C81BE2E3124BAA1546CD5614434A45C18D68BA5DCD4A3DEA0C912330EA6CABC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076357Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:40.040{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB55B25460AE9CB0A3DCF66635A1AEF,SHA256=0503C8A554E52941D84045060CB0E7E15C131157423D20A17B15E2279003CB96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055835Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:38.724{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055834Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:41.333{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391538E944D30360A13FD8D6D4225932,SHA256=514D2639009CE36765CFEC692A72C994008CC0B64DC8FA4870CCA7A57896FCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076358Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:41.077{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26C44BFBC3F3AF1A8678D639CD91F2E,SHA256=ADD56E7AEB91BC3F887BE39D88FFA5C99CEA2AA33EA8E1E781B91B3547E60FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055836Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:42.348{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322B4E2A4349E77888D358AA5DD51D87,SHA256=2E374A86E3F533063D4BD6EADFD6F775795D15DD9A1FC55D69D8DD27D3985251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076359Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:42.091{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31DEBCDF152E8F8D6166CFE4D39E51D,SHA256=1273384DCD2FF2CDA6BC5C786653419DB5339C188288F7EB17B89B739DD48E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055837Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:43.364{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76B0F0FB3F38DDE1C9FC538C70A5BFF,SHA256=FBFCCC54BFE0573490E4864E38A54AAB8208F4C83E484B180E55D361697748F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076360Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:43.122{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2126F9D45B33FE562C8B7A873FE42F70,SHA256=DF158A214DD84E565DC37442F7696F0ABEC68A8B757D4153D55D2BBDC7F21063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055838Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:44.380{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE75B7ACB8CF9226442FB771E09C95E,SHA256=74DF56EB7603A7057DA8964DE224E5490089C34BBBE9B9080982FEAD4A5ACD89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076362Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:41.380{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56476-false10.0.1.12-8000- 23542300x800000000000000076361Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:44.137{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18692AB2FAD096B22AFB7824B29FF2A9,SHA256=77DD4E62C044D4904A6D7546C0E843FEA77A19DBBCEB8E401AC123952DA563DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055839Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:45.380{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188FBF44FC958DBFD4BB26F301D3E228,SHA256=5D1FDBEEE7C07156719B7A408BA1CED84315B8452BC32FB70E5CBDC8B5907879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076363Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:45.155{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158F28C1FF2A8731A1D6D17809397390,SHA256=FB226D1CD533C8EAE2C7E103E1871545E76E2001164B1CE14DE19918011E461A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055841Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:46.395{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63998728310A1A19F5C865446AE8E35C,SHA256=24EF7D09286ACF03562BE1C782EFF305F4C6D7637B0ACB51B72D712625C557EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076364Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:46.173{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84C5E00D1B7A8296BA18FD2AF1DCF74,SHA256=1BEB8E1EE44E0B5C2AC03B8A72828F8ED4A215C4AD4A68BC462DD7621DE33CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055840Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:44.692{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055842Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:47.411{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F268FE6AE5DE17D735181FE0EAD441D,SHA256=3477B7DE42BD20F76E48708ADA2270702501702751F0ECD1DF4419344BDC5BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076365Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:47.187{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6195E1966BDC84C657B5F05A430B99,SHA256=E0D993BB70D18289EA3AF27B90049F558D0DE4728B86476BA8A80336DC1E0930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055843Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:48.426{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6B4D0F71A6F0FBEC15B476EB3C77FC,SHA256=7627D65A7CBD4647205622CAFB6911EB3AABE1FD71767233DB0077E6FF142C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076366Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:48.201{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6802B1A82E79EECFDB9983C0E00F67BF,SHA256=49114772EDA18FCFCAA57D3726BA8058B85D1DB1846FBFA230699C50FE3B5193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055844Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:49.442{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314E8CA4751762471D0EB3EBA1153CB6,SHA256=E344C5A370BB8C90AA598C1CEFD4348D8AE1329D705D321F3EEADEF997259FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076368Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:49.216{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1082FBB880777B35F9D5446E2795A897,SHA256=3D574905C43847E3881309C9541523A7D74F9DB5FD0CAFC858D30D296E31CFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076367Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:49.151{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055845Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:50.458{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFD8B1CD1CDF11642C679066C9C22A1,SHA256=71851B8A35DF5CDDDA7D4298819FE8689B2E4E929BCE55D03E4F83316777FE43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076370Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:47.374{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56477-false10.0.1.12-8000- 23542300x800000000000000076369Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:50.230{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0AF67DDD56D1C070CE2BA41F485D4D,SHA256=5739DDD129C22B573C0360A11E08811F2E040050C390F2ECAA96DC6527A8DC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055846Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:51.473{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367A7ECD2889D27681E48A5F900DD244,SHA256=4B09CCC2CB4ACDEFC2FBCB4B1ACE14127E08E8FAA1F9D480DEE6B2279701EA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076372Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:48.273{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56478-false10.0.1.12-8089- 23542300x800000000000000076371Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:51.247{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66B7363D4117E716841114A320945E5,SHA256=C1C6183879B3C8EB8465F0CF63788B2CD8FC0DCFF7AE4AF800014560D3628BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055847Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:52.489{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6738FA954BC0C70243859E600B28E0,SHA256=2D4D31E2AF24C7CDCF3C20013B529D234CACC17308A40FE3DBB16BBBE0F81BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076373Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:52.265{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DF99BEF44788DFB487E1ECD178C798,SHA256=D707613FF5D74137548D03A1F90D498329CDD0175D6A10684E4CFFEAEEC09636,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055849Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:50.680{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055848Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:53.504{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71868CEB2E5E3E1A1C18258EB1A9D7C,SHA256=5848B4E9259E4C195109463D9044CF63A418C9F85696BB178A92CDA3C8413A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076374Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:53.280{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA75E2C6A3414485EB1D1914849561D,SHA256=E56E62E19504E40F0E30A34DF478CD48AA4A715B59ABA226D63B61738685050E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055850Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:54.505{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4F5E0F2B92C82B0E8CF5C1633FC517,SHA256=54FCE2396197F2F58AE594E41E7F49630A4C69E2659030F2A6C7D7E0E9CE042B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076376Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:52.388{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56479-false10.0.1.12-8000- 23542300x800000000000000076375Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:54.295{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B3703E6DF75B8E93B5F4309D9D9F3E,SHA256=7E568DEABF93B35032BCDAE730247B582227C6B0A0FA8ED594E0EED0B44F5374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055851Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:55.521{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E16712CE0928E3E471BD47CA91101FB,SHA256=3814D1A9A6E968257F51FB5DE1F48AF364EDF112928F839B3BF736C7FCF17F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076377Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:55.309{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE2E6B1EF533DF9CC054667CD7B77F0,SHA256=D1D52487142F14ED1679B2E4DDA6D7B174AF1850B8BA634B95D411E87CB1074C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076378Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:56.324{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6E51AAFAE17C8DBB0086130C07B5CC,SHA256=CCBD644136603C077B53A6AC7F91E29A38E4F2350CF9A5A92CDC8DCD096E8267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055852Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:56.536{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52837DD591B7204D9FB690B70FE1F62,SHA256=262C8730B1667989E1F8B6180118D5CD0944538EC8EED917667EB261BC123195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055853Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:57.552{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323D71FFE1F5D62F815FD572E74ED8F8,SHA256=47A465C1655B98C7C08C0C1DE61BC245A36824EF211401035FBDC6412ED527B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076379Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:57.344{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D3A6E7247AF9B1F8BB8CC51C902033,SHA256=7B661AD1EBEC698B0E3F290FA1659D0FD77620EB7E9D114E564F8C5C053413F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055854Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:58.568{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A848681270CC5F515E57CD955BF8540,SHA256=5AC4795189F99B236000AF48A41DDD294810EABDF0EBAFE9A1A578564AA980CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076381Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:58.690{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=74C36A2FA7517742BDFB23D1B800BAE3,SHA256=0F99B4FB3AAFAE13418D26047A2C8F6A754A28BB04902CC1D93CE1F063D46BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076380Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:58.359{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857665799F7A34DA7D3850617FA6D91F,SHA256=42CCFBBA04F10EA1237EA699650DB6D1D5FBC11905AED72FF14611A89AB59A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055856Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:56.646{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055855Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:13:59.583{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E929CF95DB626139AFAC23C5EFC965AB,SHA256=02BA66AB53BAAE156AF03C612224308DB168F580AEC88ACAC48521AAFE9BBC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076382Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:59.373{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9293F7FAEDBFDD4B740A6F2A11D0140B,SHA256=835C9A0A39A74D84AFBE8CFAB8569A2450504C2A65DD9F5E29D0B805E55E3460,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076384Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:13:58.230{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56480-false10.0.1.12-8000- 23542300x800000000000000076383Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:00.388{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510BF1EF58BAE643C72EC633F53E014E,SHA256=2B12AF3D605D2BFF0308FF19A37F2D765BAD0D026AF7B0DBE1A3DD27542C42E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055857Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:00.583{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80D8D4F49D9F2B75D8D2FCFC99ABAA8,SHA256=BDE371308517486F4825D609124F37A563723AD8F2A1C4C7507F8432C98448D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076385Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:01.402{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A4E1E427DB50BA8FBE37DE1FCB65B3,SHA256=587E6CA60455B601EDB72C0A02539ABD98037AEC9B9256D7486B401BBCE38F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055858Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:01.599{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D658DBF455E01FDE16CE36F4377071,SHA256=4BB25C797B34DDFC7F2717B4B31D4246BE228175807878FEC137A0E726156375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055859Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:02.614{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCE49D8C3712AFBA9BC4FAE84F7A52A,SHA256=CA0FE0D190F186072769E7AE7E139B5914E27116DBB630EC8279E18973E7B5A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076386Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:02.417{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B053AB429E3E9D70084798886A01B8E5,SHA256=DCE2BEA6BD904C675AF1C1C632698B009A1E467809F1ABF6A0DE5F636FF96747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055860Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:03.630{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9418361766C56B50EB013A25BE88A8,SHA256=5DCEF9D1340C82C51EA0264A465CAF7EF9A6E4C17B1FE0BB9057436EFBA7E11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076387Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:03.433{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA32D0FF783D3A6080B5A4EC6DFF7F4,SHA256=B04EEF87F1C713B180EB6EC9D588A6E42C3979B2ED5A243C1DD97F8F18F62B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076388Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:04.451{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB99F7C5AF21A587883E577428155CB,SHA256=331B4DC9575815EAD99A02AB9B91A08AB7C608A85EC9B7691DBC20717CA2BE82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055862Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:02.631{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055861Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:04.633{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BF6D0A2541B87E9590C3926588A527,SHA256=E1189AB2662D088B7D4A9DA57B2D9C41EA98E932098DC66930DD3F7E43D5C571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076389Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:05.466{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E69097FF138C8D217A50FA96E5D7DAD,SHA256=FC3ED42E8D11B8F5E69791EA6DCCA680B5A09F6EA809EB8E5D08749BFFAE205A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055863Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:05.646{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304021F53C50456DCFD94AC60F85599F,SHA256=A069FFDD54E050624F715B948E4D1797FCEC01C14011431167A1319461F181D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076391Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:04.208{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56481-false10.0.1.12-8000- 23542300x800000000000000076390Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:06.496{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEAF77AED2B93F467CC254AFFB46278,SHA256=68E6BC26C07ABE72FAAD5534CF85D139247D2651B1E3DE19B818C3FABF2E6881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055864Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:06.661{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C83B2BE2761987489843EAA571B327F,SHA256=3EBCCE3907D1D0A5CD6336C1B9693A69262AB2AA85598B7F17F355499F7A4500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055865Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:07.692{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D7698DEB5217B1B96DCA32CEC63880,SHA256=F92EE7E2D5D8249FB64BAD2C3B24F16CAAE46D180641A1DAA3B5C6E404B01AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076392Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:07.529{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C994175858007069DB0075DEC47A42,SHA256=C792C2EBD831B1B31AC0E36156BA7FC30E6FEE647DA6B2EA00DA357980172F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076393Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:08.562{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804077F16F7ACA9C5A484C620102F2F0,SHA256=558498620AC2DBE760B957A58EC5129595744E44179AC78795518C6799BF4B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055866Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:08.708{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8C37062A10078D9016B8095E333C0A,SHA256=01828DFA8E753102366A925CE23D62138AE9ED594351780CF292D37D0EEB4BD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055868Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:07.677{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055867Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:09.739{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1E42F2FDDC89C929BC4806BBEE8590,SHA256=D8F7F433DD3ADDE51F423F2B7AB08AECFBAFF722379CB33DC624D5A93D51679F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076394Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:09.592{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E68879698C43E04DE45EF619E35E62,SHA256=7E121EF6BD971A1B3CB1FF79316EF4A51FE2892C78431A43BD55ACD6942BD26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076395Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:10.624{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C629686932DEAA7DB1C240347812F1D2,SHA256=74DF605F9D61F07A1B1219A9786A7CF0D8EBD26E00DA27524701BEF0FCFD61E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055870Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:10.746{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671BD07D3AB8D3C21D528306B4233F55,SHA256=30249DCD838477DAB37C519FECF7B65C64E45E23090DE42183EF0E4D3A65DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055869Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:10.447{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-272MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055880Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.967{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D243-611B-A80B-00000000F101}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055879Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.967{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055878Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.967{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055877Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.967{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055876Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.967{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055875Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.967{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D243-611B-A80B-00000000F101}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055874Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.967{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D243-611B-A80B-00000000F101}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055873Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.966{8A88D375-D243-611B-A80B-00000000F101}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055872Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.776{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAF1853872E75EBAA33D0530821968A,SHA256=393FA9F7F7B42C14248EAF7D50DC9363499520CEEA00C702AC1B579F3FA226B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076396Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:11.658{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FA724A3CCCF546EFAB63ABE96BA0BC,SHA256=2FE34A9BACEA06ECC605DCC93277AEAF1178DCE6A125B5A2AB2A05D46A60CFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055871Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:11.451{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-273MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055889Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.795{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DE398A2C0F129C4BE526A23DAE08E8,SHA256=2B16DE4F96AB2518D623495A9CA5DE30F7C2AB3559EFB8C5665A837F4C2BDB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076397Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:12.688{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1605B048B862D212088BA44C1EAF7300,SHA256=F7CBBC6795DB8CAF030C3F5AE0C3A817DACE504350D3DF5ECAABBED9ED1EBE0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055888Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.701{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D244-611B-A90B-00000000F101}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055887Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.701{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055886Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.701{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055885Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.701{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055884Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.701{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055883Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.701{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D244-611B-A90B-00000000F101}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055882Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.701{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D244-611B-A90B-00000000F101}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055881Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.702{8A88D375-D244-611B-A90B-00000000F101}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055909Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.900{8A88D375-D245-611B-AB0B-00000000F101}17123664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055908Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.838{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48796ABF915121587F7FAD83B6706C0B,SHA256=430A6EF6EACBD2B96F603F2068930D141D103952B5423E8CE58D394AB255CD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076399Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:13.702{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6D169DF438B5F1CEA6149ED9EF53F9,SHA256=C281A26BEF03F87C78BB465623A1730E4B50AA6A3E022446E02136BDF71D5538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055907Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.732{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D245-611B-AB0B-00000000F101}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.732{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.732{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055904Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.732{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055903Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.732{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.732{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D245-611B-AB0B-00000000F101}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055901Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.732{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D245-611B-AB0B-00000000F101}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055900Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.733{8A88D375-D245-611B-AB0B-00000000F101}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055899Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.513{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8B06D8C8A2FB77F8909286B503783643,SHA256=7B3154BD1802F968D03B8603ACE4CBDB58B7541045EFEB3493C6BE315E83D3C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055898Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.217{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D245-611B-AA0B-00000000F101}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055897Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.217{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.217{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055895Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.217{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055894Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.217{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055893Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.217{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D245-611B-AA0B-00000000F101}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055892Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.217{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D245-611B-AA0B-00000000F101}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055891Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.218{8A88D375-D245-611B-AA0B-00000000F101}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055890Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:12.998{8A88D375-D244-611B-A90B-00000000F101}6004780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000076398Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:10.200{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56482-false10.0.1.12-8000- 23542300x800000000000000055910Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:14.870{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4B33656B9568093C074047F01EC1D1,SHA256=E4AB554C432F864AE62115014CD1EEE1BB3598AA5876A86C5850E57229E33ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076400Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:14.719{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA9129773A1EE328B64E5740CF34704,SHA256=823ECC719A051BA4D69D1E7553CD5C339371577A096A5B02058AE11BC935A7DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055921Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:13.666{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055920Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.886{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A81C48788D67A2310FFBE00666F52E,SHA256=E9C1568E9A7CD1C330789F4D761CB6F3234D1735333FEDB3932FE43A74217D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076401Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:15.737{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02D68EB19C972D09110BC0213F60A5B,SHA256=A82D2032D93FB3CB517B86FCF149077C1C05579AC11C590E3DEC6F6D611ADBB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055919Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.839{8A88D375-D247-611B-AC0B-00000000F101}18285800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055918Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.699{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D247-611B-AC0B-00000000F101}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055917Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.699{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055916Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.699{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055915Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.699{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D247-611B-AC0B-00000000F101}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055914Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.699{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055913Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.699{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055912Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.699{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D247-611B-AC0B-00000000F101}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055911Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:15.700{8A88D375-D247-611B-AC0B-00000000F101}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055930Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.917{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBCC78192B0A1E47374D0CC8828D186,SHA256=7C2286D87B88C19444898DDDD327D53F5746F77E95E5159368A52C74DA27B80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076402Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:16.767{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5B5AB4A7E914CDD47B02BAFA48FD0C,SHA256=9470393FE5556406FFC2432A866FBF7535ABDBD5E1A62DFDC40799D57E591C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055929Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.370{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D248-611B-AD0B-00000000F101}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055928Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.370{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055927Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.370{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055926Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.370{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055925Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.370{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055924Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.370{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D248-611B-AD0B-00000000F101}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055923Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.370{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D248-611B-AD0B-00000000F101}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055922Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:16.371{8A88D375-D248-611B-AD0B-00000000F101}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055940Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.980{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253CD95D348EBEB7B6F4B97EEC69D46B,SHA256=DD0489437A4367349B70D06D7D88AAA462899AC9897A177EA6CFA574F7C41524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076403Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:17.782{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EA9BBF3156280698B4A52914A4EE2A,SHA256=4441264FD46787BF8CABB25820C96EDDF0C921860470BDDAF7BAF1E726A5A34F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055939Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.261{8A88D375-D249-611B-AE0B-00000000F101}28725452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055938Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.042{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D249-611B-AE0B-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055937Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.042{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055936Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.042{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055935Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.042{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055934Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.042{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055933Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.042{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D249-611B-AE0B-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055932Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.042{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D249-611B-AE0B-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055931Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:17.043{8A88D375-D249-611B-AE0B-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076405Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:18.796{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A7C2AF5991C68483C61E3A2E7A549E,SHA256=C80F3F0DE623E0F6493A0FA45A52FA55280B46F3EA6F2A197C1BBF6898B8E57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055941Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:18.776{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076404Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:15.309{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56483-false10.0.1.12-8000- 23542300x800000000000000076414Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.816{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28F8830F6BFF62A321D7C338FBDA458,SHA256=97FD2E0D6F4093D596C6A6F787276583E1421D0BB3A51A5ADD4A54EB3A8C8787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055942Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:19.011{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B4A6799AAE753E183B09F80DECD8CA,SHA256=AFDD09A611E67D1CAE9B5E2750B17F278FE68D233A9A4944FE78FFB9BECBC969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076413Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.334{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D24B-611B-9D0D-00000000F001}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076412Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.334{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076411Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.334{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076410Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.334{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076409Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.334{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076408Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.334{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D24B-611B-9D0D-00000000F001}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076407Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.334{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D24B-611B-9D0D-00000000F001}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076406Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.334{2F630BB9-D24B-611B-9D0D-00000000F001}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076433Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.915{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-280MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076432Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.832{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A316389F8420784F35D6E2146082C8E4,SHA256=6D95052A6F923D756D5E27C9DA890D4AA9FDD9C27B29A62AA59CCCCE24E3A9B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055944Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:18.245{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000055943Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:20.026{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDD871E8C3003C74A291AC06943778D,SHA256=6A6F8728152BFC56275DF3C0163DDB01708FAC2E781BD27690CCA7A1E36032DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076431Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.817{2F630BB9-D24C-611B-9F0D-00000000F001}8724396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076430Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.664{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D24C-611B-9F0D-00000000F001}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076429Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.664{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076428Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.664{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076427Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.664{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076426Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.664{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076425Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.664{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D24C-611B-9F0D-00000000F001}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076424Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.664{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D24C-611B-9F0D-00000000F001}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076423Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:20.665{2F630BB9-D24C-611B-9F0D-00000000F001}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076422Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.995{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D24B-611B-9E0D-00000000F001}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076421Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.995{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076420Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.995{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076419Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.995{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076418Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.995{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076417Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.995{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D24B-611B-9E0D-00000000F001}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076416Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.995{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D24B-611B-9E0D-00000000F001}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076415Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:19.997{2F630BB9-D24B-611B-9E0D-00000000F001}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076444Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.913{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-281MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076443Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.847{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5121F5E14B7909290253264D23DC722C,SHA256=060749615BB907D539B50BF37DA7589E1AC73E991CE2967735FF3E929B21E455,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055946Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:18.698{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055945Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:21.042{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D784D3D4E9DD2A133E8EDF86443562,SHA256=7000068CD256F2491D4D58653DFCEDD8169F626795A0A211AF9BDE209D538041,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076442Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.495{2F630BB9-D24D-611B-A00D-00000000F001}1005880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076441Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.332{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D24D-611B-A00D-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076440Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.332{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076439Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.332{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076438Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.332{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076437Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.332{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076436Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.332{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D24D-611B-A00D-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076435Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.332{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D24D-611B-A00D-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076434Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.333{2F630BB9-D24D-611B-A00D-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076463Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.863{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FFCB4BECF7BC719F37035B036D93F3,SHA256=656370D678090E36CD35BAEA8D99465BAA143AFDB5054607F3F97797523EE38E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076462Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.863{2F630BB9-D24E-611B-A20D-00000000F001}73006012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055947Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:22.042{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759AE3711BD194F43CFAA956D31818FC,SHA256=95199056B8CEDB308E376F758C2B2CA1F24B7192DF86CEFA54448B1EEA60EC93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076461Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.694{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D24E-611B-A20D-00000000F001}7300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076460Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.694{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076459Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.694{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076458Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.694{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076457Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.694{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076456Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.694{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D24E-611B-A20D-00000000F001}7300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076455Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.694{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D24E-611B-A20D-00000000F001}7300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076454Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.695{2F630BB9-D24E-611B-A20D-00000000F001}7300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076453Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.148{2F630BB9-D24E-611B-A10D-00000000F001}19045960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076452Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.007{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D24E-611B-A10D-00000000F001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076451Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.005{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076450Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.005{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076449Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.005{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076448Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.005{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076447Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.005{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D24E-611B-A10D-00000000F001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076446Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.004{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D24E-611B-A10D-00000000F001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076445Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:22.003{2F630BB9-D24E-611B-A10D-00000000F001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076464Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:23.894{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A38496E77ED3B3B553FB5445473DA4,SHA256=263FB21B9879A77189B1173588F1D08C238C0E7D89A385A812A11C13ADD38D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055948Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:23.104{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E55B593981AC83B6AB4A6A27C18A70,SHA256=73E1A8D9D8E7B2095A9037479586D4FBAAFE517140E6973B309A0378EA944D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076466Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:24.911{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2FEDD43E4EC33E59E39CFD45C54EEB,SHA256=CB3F385F0B2B0FAA938AAD83A93E2151AAB5B8AECBA22B020544312ABF1C7E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055949Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:24.120{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F081AC5E7F2D9A7273B491FDD4D8B93A,SHA256=32802DA812A0B86AFAB3B5B48C73E823B3CF63F8A160634CC1D21733A7A8577A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076465Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:21.252{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56484-false10.0.1.12-8000- 23542300x800000000000000076475Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.929{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC37C68194C48546D965576E17E0526,SHA256=1F4B9BE1E064A50F5F65611EC5F1427CDBDB2447099A520647D25CA9130CA1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055950Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:25.136{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F95E02AADCC1DBEBC019F30ECD5D4F8,SHA256=DCC19C5D8FC8D8C32314FB08DA52556B35EC8921B45C0E87FB25EF99DDA47D70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076474Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.129{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D251-611B-A30D-00000000F001}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076473Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.129{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076472Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.129{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076471Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.129{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076470Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.129{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D251-611B-A30D-00000000F001}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076469Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.129{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076468Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.129{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D251-611B-A30D-00000000F001}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076467Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:25.130{2F630BB9-D251-611B-A30D-00000000F001}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076478Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:26.943{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EE77CCD35FBAD7F7A1D2CD280B239F,SHA256=C2F1010774ACB554B2B2F21B8CAA527FF4A320196AD77C824BA0951FDD64DC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055951Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:26.183{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961731E131B2085B294E457D72D4716D,SHA256=8E2449252C70C8EDDEF4C12C0AA7444FFBB3DBF045D7C9E9BFF885C5D8F07663,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076477Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:23.971{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56485-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000076476Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:23.971{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56485-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000076479Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:27.989{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AF822C6A1A11B4E34FDC0F784EF6FF,SHA256=8867658A901B71E8D9165632341FC597A61DABA5EA7E7A1B6642A774E01277F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055953Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:24.714{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055952Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:27.214{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D077D85E6FC1BE0BC9843B6C2B806E,SHA256=7AF11F8395BB70E8674F01CC959BA27813DA6B7A3FD0BB083D7D1BA3C69BA692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055954Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:28.229{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9FCA7B7A4D1C5B59BAE02EECEE8434,SHA256=6292983FE9DD636FBA75BC91FA0FCA009CB6A260C9638EEB3A45371FB7AAACA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076480Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:26.346{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56486-false10.0.1.12-8000- 23542300x800000000000000055955Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:29.292{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8CB866545A6698976FB20829DBF996,SHA256=EBC3D58242DA790873151A5E6CC7EBB22F44E6643092A1C7555798366C15179D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076481Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:29.006{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2544F1DCF8A413C39619C06C0943444F,SHA256=A2E0D7A5B647D5F9A836034F3C58ACB763BE5DDBCAE5C73528267BDF6B827C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055956Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:30.323{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AB7FB337DF98CC543623DAFE56F85E,SHA256=D279290EC791080A3B70686DFA0DEC366E62974F1F86C1EDEDCF066B1FC556ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076482Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:30.024{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1751DB5BE41B9496A4DC2FEEB56894,SHA256=3513D45CD634476E007B957CBC36A5BAE3B7C5C5CC6435EBCE6D67BA79DC1758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055957Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:31.401{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F797B187F0722828876C96C978B00014,SHA256=519B55AF0012EB24ED3879220161D6E074B1D3F7B5724D3400B6432DA8655BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076483Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:31.054{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C753C5F8FE5CE879F2053A53BA42A64F,SHA256=747D2A179954023BA86DD15CA874A47E23E7D150500D080507D3D74798E6A071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055958Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:32.417{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89BCFE574E4AE757D41CC51DDE3AC98,SHA256=62DF8A2DF95C333AB245EA9C2FAA31F8ADD367882EF510ACE75F7695B9A50A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076484Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:32.054{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8843A288BD39CBC5E408F6537423C74,SHA256=F0D009719C4FD73D33CC399B6A28EB1F76FA9FFF102FCADFBC6EFBAC923A5B4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055960Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:30.698{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055959Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:33.448{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0854E31DE35AFAB948F1159E149FD662,SHA256=FB870C9455DE6DE68DFCBE7B109919944191C9BFB3BC44B0AF1FDA1C7AAA7809,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076486Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:31.364{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56487-false10.0.1.12-8000- 23542300x800000000000000076485Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:33.085{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154C57252DFE465DFA8BDC188D9172BD,SHA256=C74E6B8E4B6C5B594F6E4F497C28D09BF214C7D7AD04E36FC013CB44EE13914D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055961Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:34.482{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E94D1F871B62366C19B2D912F11E7E0,SHA256=768FDE59E257C4FCB34C131FEA9A2104B09C190714E733205DC66C53D405C703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076487Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:34.104{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8729869511D1164A043E9BE6407FDB3,SHA256=3BFF308734F72842A6C118D73003827AD0C7DA76FF7DD7F35B76D4D5B118BD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055962Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:35.529{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A950934B787F9859F5ADA469DBD75A1C,SHA256=D5C543D47898871AFF1E56626E5744D49666C8E926F10F4BC766D0032E4EB5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076488Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:35.120{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF76AA7654D1692574E90967BF33F31,SHA256=7758F3F0D0FBED797497DF3DAC51CA9B5DE116B13B25BDC1B56B75549585C002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055963Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:36.545{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B5E35CDD61F3119B1321A647521130,SHA256=36CB5BDD90A9E9301C3893F3F9EB164FBC4588E8CD546CABDB5A0E8D1ACD0CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076489Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:36.151{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67918D1A0DF6915AAEEADAED727CFFC,SHA256=93A29BAAAFAB15CA9F80FB5C262A20ACD2F4DE066ED1E87DF8516C9B1E7A77A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076490Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:37.180{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753054AF48DDD01882CAB4655B268C73,SHA256=54F7C5D508829588D40218709DF2A6DCA89856D7CDA5914745F3E18A5053372E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055965Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:35.748{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055964Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:37.545{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB141525090CEC2D001C0BEB3E8AA4A,SHA256=4E80E718F7DB68A9BA707E89C714B012846A0525DD77FB8406517B82F76B925C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055966Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:38.561{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72862EEFC4D1DCDF9C9E818B03028F24,SHA256=BFBDE7543D02B3AFC3EADE44EC7C5041B89EC696CABDC321338EC12F0235BDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076491Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:38.197{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D2C6BCA638202BF8B1B0E6A8C999C9,SHA256=E4FFB1568DA3DB374D238710489A220A85DB0257610F38D1C5F85B518E0AD138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055967Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:39.592{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57D656A6228565074A060D96AC803B9,SHA256=8C0FD699B0A1CED626BD31F9EBFAEA20E6B1AD36C3E9AA70B8F983ADF26A860A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076493Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:37.336{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56488-false10.0.1.12-8000- 23542300x800000000000000076492Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:39.216{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9761B547663609198DABA49D73C00191,SHA256=9A1F76B2D75E42E4EDA02CBCCA2057F73383A854F59C57F8FF557B78283331B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055968Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:40.623{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4A7EA9C539A109EAF86BF15E3031AE,SHA256=4558D06BFE68663373346DE68502CF076BDF84E85D06BEEBB757EA987BA83138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076494Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:40.246{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BB906B803EA0274A7CE2B33EDB8CE4,SHA256=433CC92A0D7FB80437CA6F38B693CFA59F67241F868BE71F03805CE76D549BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055969Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:41.639{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA11C65029EDD97FED863A0B323D143,SHA256=1E9A4FA52DDE3A2370EB85E7AAA851FC8EB2F6FC879042E7F01C15C959D2A65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076495Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:41.276{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D569660B44171BE0C262ADA29798A0,SHA256=1A572738EC7FCE2A2653F1B31E0418468DF580F5CFB6B91A694AADFA0010F422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055970Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:42.717{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA3F0A7385BA57603EE15E12BC168D0,SHA256=8E9D0B717EE9A9F80CC3FF1D1FAB15EBE9F1E8105D70829E95A0505D55678A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076496Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:42.293{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9ED3FB1179B0EFBBA2E2496E538314,SHA256=5FB9783EC4D8DB72502E2C53EF2721B1AB762B298FC00F5C491FDC6F7F70A030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055971Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:43.732{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBCC237708834E4E3996F7E350535FA,SHA256=B21A4E70217EEB5B71B483C316BF6D807FD13EDCF1635AFA0D51CEADFC24348E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076497Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:43.311{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4B7A3E02745BAEE49A7DE709C9DE70,SHA256=91B47EBE0A71033A27C5ECC61CA7F6BAA06206FDD0047CBA57490CCE360D3A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055973Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:44.748{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C17EC473F21F50C9C96087E0770FC08,SHA256=9821E7D7D1C2879BE1853FE8CEF8E23B67E69654DCD552613F18A8F506FAD613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076498Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:44.342{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5CF6AEC34589EB094B360886A69762,SHA256=AE16C0273C56DF1FF33A07E713AE82B622CCB61A96E5DDD02DB913CDFD0DA3A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055972Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:41.703{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055974Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:45.764{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4108657D89E1206FFD3EFC7566EF1439,SHA256=E0ABA6F7AC88F1A6ADEFF4BD5CE1717B903A5A1517D691E830A1E0B543FDD994,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076500Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:43.230{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56489-false10.0.1.12-8000- 23542300x800000000000000076499Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:45.372{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E06001A9DDC938EC8C429E631821424,SHA256=A0AE06781F5CC3F38C58755B6602B529BB65FE60E588B34217408B8466D66081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055975Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:46.810{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FB3B26442E6379B9CE592BCB536018,SHA256=A94C970D143DBDB519396412DF111F9528ABA95D10FF6F56069884F71263AF72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076501Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:46.388{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6544BC514245A411F3AE9672F136068,SHA256=7C7D904FFB2B2FFDB9C4E252399A151EA5AB8815052190615A2EAD94DA5BE1E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055976Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:47.842{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3346EF833A5C4634026C7333BCBDA9F8,SHA256=10A4849D8468280324B7D17DF378E730D431FB15C03298AF1F7966A651258B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076502Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:47.406{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE0339594A540FBBC0CC238CA663B29,SHA256=7642511CFA82797F4FA60BE02D05B7544420EF5B1B2AD73DC072268E47B05FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055977Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:48.857{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DA16B611E8C8BC954FC270F4675415,SHA256=D9EFEC74C0079720E935690461D92FD813B888B7394748013E9005D2CA2E4EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076503Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:48.437{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CD83808CBC467AEBFB0801CB6F8C08,SHA256=01FD1009A61434A098D9DD2A8912B58CAFBFB9B48772F08F08CB76F5D9161B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055978Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:49.873{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED92677E2ED738036781FED765D16F80,SHA256=AC7E43FF4A8FA9265CDA8D120D8F3C621C84EE808BC25B78E15D5931FF4330AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076505Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:49.467{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6C0ECF2CDC2B6B65C9F4CBAFB8CCE6,SHA256=200B68DE1F20B67A3ABD8FBAE40452C1AC7351322CF722042777A9AC33BB220A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076504Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:49.188{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055980Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:50.889{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D8AFA13CDB0CE9F1941A4DF7BA031C,SHA256=E1EE047F6D8ADE996CCBF14AD05AB5107498355824A4FDFD7612342DD30C7EC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076508Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:48.310{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56491-false10.0.1.12-8089- 354300x800000000000000076507Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:48.261{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56490-false10.0.1.12-8000- 23542300x800000000000000076506Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:50.469{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF400E9643A8C7ECDE5141758190D70F,SHA256=F7FE915E4485C18FD8E3C1164E873B54E8EB35E747EFA74D7B4E7441B7D84700,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055979Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:47.592{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055981Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:51.889{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05FF3C6F57FE5BED3415FC6652671F0D,SHA256=D5FDB0560D800327D17908EDE821B219BFFF6B1ED4DEBA5797F5FF361AF7A138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076509Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:51.505{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE1D5615F72114E18F6D7141B9730AF,SHA256=73E47A9104590B611BBA6CAC0C9B09106619E25976AD5A7DBABED35F5ABD35D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055982Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:52.904{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52015231196EFD6EE5DC0811CB30F441,SHA256=5769E088B65FA69751B7F06C554C7B1E0C7771FDE67415EF424A120F564C7FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076510Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:52.535{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137DEFEA37FAD8E03AF25B1BB6B13EAA,SHA256=799F3FE0A851857A8E18EB7079B54B7E9DDDA20AB3C25D3950F2FDF98292B09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055983Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:53.905{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D5AD0A61CA9DD85B9C4D3C77767C8A,SHA256=0C26548AFC2378215BCF870A19F644A61D778F7BC64EADDAE90D92908BCF64FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076511Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:53.551{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EEF9380804A411C56B72E0EC2E3129,SHA256=EEAD8260B7804DB45B5544779C9202682EA1B94C9BDA1334A46CDF4D5052CD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055984Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:54.921{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D4BA53B2FCB43C87B6F6B8536C4D65,SHA256=F5769C01D18DB545A50034D8E42B5B9901288A0E57ADC6E1B3F98C03A9130548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076512Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:54.566{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A3B26074B8BB3380421E188E08143F,SHA256=554187864BC45AD3EB8925334A85F291D4D1C9F5FA39EF29DCFD42C7BC7E8DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055985Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:55.937{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52547B6AECB199DBCEBEAA96FB192D9,SHA256=768518B82CC78C304936B70B146CA45BAB73F2930094F726CD5E3A8AA268F22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076513Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:55.583{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C638825713C4C98877E74E5B9B3BD,SHA256=580242B973F9AB8A6146EE36F99E431DF307F57E8C8DADA7227BB64A563E72BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055987Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:56.952{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AB6592FC8854A14B491EC51D441CCD,SHA256=DB7C9E89534DA6907B1AB0AF934D763F41C0BB65004953967790AF60AD81F1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076514Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:56.601{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC833EB3F1CF60B5C8B3C8344CBF1AA,SHA256=6AF306DBCCC1473BB4770C58608A79B036AA0C9FF8A3E5897EE4A777E60ABAC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055986Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:53.561{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055988Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:57.968{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFA70802E349FF82E11E3CF02E1F777,SHA256=66BE7B7C6567E0261012A38D6E979CC1D5EFE957E86D821DCF15C5FCCE8610BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076516Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:57.616{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2E6FEB31406CA0FD49722BC31578B3,SHA256=A3C0AF4803DCBC50B698CB7F4CEADD9B7C69CCAFBDEE66D44261ABCEFB98588E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076515Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:54.191{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56492-false10.0.1.12-8000- 23542300x800000000000000076518Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:58.699{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=38E747B90154500E39C6DA95A7174D9F,SHA256=D85644D0AC11C1D8A50DE4C0F30AD6FEC1D060BF5BA0B382E7980843C1C49DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076517Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:58.630{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231622FB043C6E59E5E42CEF18593DC6,SHA256=C6EA2D7B4CBDB43126912326E030ACCEE9371F20924E243CE3EA2D4B186CE58B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056017Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056016Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056015Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056014Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056013Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056012Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056011Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056010Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056009Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056008Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056007Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056006Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056005Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056004Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056003Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056002Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056001Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056000Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055999Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055998Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055997Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055996Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055995Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055994Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055993Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055992Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055991Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055990Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055989Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:58.780{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076519Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:59.660{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256529F4A883FB7EE7FDE6D3717A3928,SHA256=74191A7B4694E5A2D3DB376F0B9C0E44EC36016F11BA966AD840CDE0693DE681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056018Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:59.421{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E39B0627E345B93B9449B08E18FCF42,SHA256=DF55E8C59A24A6056A3D67351349F78552DD387EBB32C79383357C0699D744AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076520Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:00.677{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C894EC82F56B37BE219298633B568A77,SHA256=77B3D6FB422141089676379787BBF9788003B7394D3F7B07D08DAB5A3C833F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056019Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:00.437{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8542824EB2BF0EB8200FAB2F5582300,SHA256=01F2A478F0FA3DC8F4EF596816A0E38D9A65D8BFC7964A12BD4A4A1C7191C639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076521Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:01.695{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E497576936394FB554B5C8F401777C,SHA256=B32190A5A31F94E2AA4918A7C45DC9B55D1340788B2895727B4738B1E1C887D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056021Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:14:59.608{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056020Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:01.484{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA278E34D5845F7D0E74BD12162FBD0,SHA256=4D4769CC2ACDC870E8CBCDFD0DBBD795E7293F133556D3B616D7461422C21305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076523Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:02.710{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C73D7D32B8E0B7266D8319C41CF0DD,SHA256=E0791C2BEE4A61117F31B5A4281E8552722C65A21884BE1438452BE47806176B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056022Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:02.499{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6AB08EFF958395B2E0FD12B0E8E998,SHA256=7AE3CF5DC58D479BF869DB00609987ED97DAFAD5F5313ABDC4388D3C65562B89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076522Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:14:59.338{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56493-false10.0.1.12-8000- 23542300x800000000000000076524Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:03.724{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E508499487627E7304588F5BB3C1D0,SHA256=663C46D8C4855C50BDBCE6557387ED4E3031E848B6497E6F2D0B4B8DD322993B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056023Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:03.515{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D7BC54D5A3847A655AAA9968A3C77A,SHA256=320845C3F46BD690292A37C83679673A3120E21AEA0746B3EE067B62714C0097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076525Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:04.754{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A44E7D3EC81E575D7936F73370F6A1F,SHA256=7621F6366622D33C250870DA42A5E8027DB8326735EBAE790CC61DAFC6D7CC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056024Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:04.546{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C5E30B4CA0BC61B5051D8688DAA3C8,SHA256=10C21D1EA21E9D8CE0A27B8A36F054691BE362918A09531B1D18B2A231BBF53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076526Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:05.771{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE89B539E28C347221FAEB494FABB359,SHA256=934256FCFCC4838866B101B87145415FF5302747D7DA592DE59763FDF593569A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056025Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:05.593{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B7522D0B918E2283B7E0D5147CA089,SHA256=A3C669A5BB358D4DFA6B89CA41B8F2FA5CA0AB6CFF139DA530BE443A6A6E22D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076527Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:06.789{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391364D928E719B5322678655F96356A,SHA256=32CCAF2B81FBBC675271EF66E8C52B749CDA518057B992E6B75E82329C3E50B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056026Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:06.624{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF2E787741DC5FA5B13F46E15C6EC19,SHA256=A03C8124D634EC0DA860B5872A8C9BA1009B351F1E31A4A70E9FB4EC1E32A41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076529Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:07.835{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9289A1F1A083E980600DE98DC3AF9FB1,SHA256=F72E5E4FE175026CFB957FB717C4FAD7B126FFEA5BD7D4BB5239BACC0125164E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056028Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:07.640{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63D9870B4D3FD36C78549E543D74744,SHA256=54EBADF1E412279B8B3ECE88940E4FA73BD2CD143FC93CBA1029679804C78AD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076528Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:04.348{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56494-false10.0.1.12-8000- 354300x800000000000000056027Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:04.687{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076531Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:08.867{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C549C44C22497DCD0C2988D7977CD33,SHA256=7CB7F60284346B76733A8884437D8BFB9EBB70D0D8B4FD74AC48F2BED74C2654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056029Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:08.671{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5787EE107A71D3DFBA72D3F151671E,SHA256=AA16ADD61AF09AEEBAE730728FAC3D46D6149D5C7553CDB8411B86C55274A366,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076530Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:08.565{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076532Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:09.901{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D303CD94D9A949E07AD7FA2379E41AC,SHA256=B087386F06BA35CDC7ADF6A7F5E232EDE9211967A63D19F458A475A689230696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056030Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:09.687{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCE38EFE778A926043017174748C134,SHA256=41791F3C65539AD459BDF767537EF63F1302458E18E5888432C146D494F62D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076533Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:10.916{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C7B2F8B22C20DDBDEE3A946B0B1723,SHA256=548D9553CB4CA73BD553BC4024E0C87E69EEE5CD8BF46ED475E20C32DD8DAF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056031Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:10.702{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4E298AD638E0C901383B1115414E6E,SHA256=65238618E1136F54F32305B2FDD69592A4AEB6B1FC72BFEF97A24BDA9F118EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076534Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:11.931{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148719DEE339D6DF49C6BDC03E6C3F68,SHA256=E8A76C17796BF0F9D9F08EE898AC9211F38C98A6F13F42256F9C474C8E6292C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056041Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.977{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D27F-611B-AF0B-00000000F101}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056040Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.975{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-273MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056039Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.972{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056038Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.972{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056037Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.971{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056036Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.971{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056035Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.971{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D27F-611B-AF0B-00000000F101}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056034Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.970{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D27F-611B-AF0B-00000000F101}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056033Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.969{8A88D375-D27F-611B-AF0B-00000000F101}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056032Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.718{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCC48E3446A23B1A82E775B8B0B609D,SHA256=737113EB498FD3D0014AC0E3BB65D4A0C6ABF03A823FE2AAC64EE3C6CBB79B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076535Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:12.945{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F83BA5283738B98C5266EBCBDBC134,SHA256=9F496DBF1A449BD0E425E157E12365F04BEBEACB19D05C237DAE7DFEF49C0F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056051Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.974{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-274MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056050Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.769{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C6350980648CC3B227BA0070AE9966,SHA256=3D2CC855B1A81A585C84B3BEFBF1CEA9AE4D0996139BC65A1A2CCA333B44B5BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056049Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.723{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D280-611B-B00B-00000000F101}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056048Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056047Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056046Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056045Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056044Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.723{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D280-611B-B00B-00000000F101}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056043Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.723{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D280-611B-B00B-00000000F101}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056042Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:12.723{8A88D375-D280-611B-B00B-00000000F101}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076537Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:13.962{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B79EB75940A6E4B80F12450A21A8C4,SHA256=00FB70BE546AF8B90F5378EDE4DBA1CB8A771226436AEF740488C27E1C58A56F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076536Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:10.257{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56495-false10.0.1.12-8000- 10341000x800000000000000056070Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.881{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D281-611B-B20B-00000000F101}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056069Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.881{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056068Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.881{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056067Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.881{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D281-611B-B20B-00000000F101}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056066Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.881{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056065Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.881{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056064Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.881{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D281-611B-B20B-00000000F101}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056063Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.882{8A88D375-D281-611B-B20B-00000000F101}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056062Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.524{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=69534FF57249C02F815FD098D532E0F1,SHA256=4BF1800C809D3200D6DF0F83B1B6741DADAB9C41FD738EADBBDB2D28E6023895,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056061Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:10.577{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000056060Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.225{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D281-611B-B10B-00000000F101}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056059Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.225{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056058Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.225{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056057Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.225{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056056Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.225{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056055Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.225{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D281-611B-B10B-00000000F101}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056054Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.225{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D281-611B-B10B-00000000F101}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056053Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.226{8A88D375-D281-611B-B10B-00000000F101}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056052Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:13.053{8A88D375-D280-611B-B00B-00000000F101}53965628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076538Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:14.981{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EE7852E23DC2D9CA283ED50A2380A3,SHA256=323D67694A7D399CB8FE841212FB546B4080CC3B301EB9AC1AEB5393ACA11524,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056074Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.727{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-316.attackrange.local138netbios-dgm 354300x800000000000000056073Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:11.727{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-316.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 10341000x800000000000000056072Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:14.068{8A88D375-D281-611B-B20B-00000000F101}53846116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056071Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:14.021{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40E360115C040AB6A7F83A71B25258F,SHA256=DD656D714CD18029AB29684986BD358C347EDA935337A76E358E46AB53E86022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056083Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.709{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D283-611B-B30B-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056082Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.709{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056081Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.709{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056080Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.709{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056079Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.709{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056078Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.709{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D283-611B-B30B-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056077Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.709{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D283-611B-B30B-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056076Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.710{8A88D375-D283-611B-B30B-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056075Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.037{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BE35FEB20980CA1FE36C85A9DA7F94,SHA256=C8B2CDCBA20D014E8B497B2ADEAE15D662091FBC9B0F6752D635FF325754CF02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056101Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.709{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D284-611B-B50B-00000000F101}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056100Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.709{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056099Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.709{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056098Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.709{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056097Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.709{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056096Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.709{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D284-611B-B50B-00000000F101}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056095Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.709{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D284-611B-B50B-00000000F101}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056094Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.710{8A88D375-D284-611B-B50B-00000000F101}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056093Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.474{8A88D375-D284-611B-B40B-00000000F101}56163640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056092Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.209{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D284-611B-B40B-00000000F101}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056091Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.209{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056090Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.209{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056089Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.209{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D284-611B-B40B-00000000F101}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056088Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.209{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056087Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.209{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056086Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.209{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D284-611B-B40B-00000000F101}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056085Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.210{8A88D375-D284-611B-B40B-00000000F101}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056084Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:16.053{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0855FCD9522A0222C1235CBF782236,SHA256=FD4C6B9AEDF079818770B3035265D537EEA7E06966DFACBA0921AF2A4B074978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076539Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:16.042{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CC4763860275BF03B159BEF31547CB,SHA256=CEA7670577BDE6F63BD7A545997A0112F073B419FB52E73369792AB8A6C9750B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076540Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:17.058{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1644BC596ECAC63F1B3DC68C38939E,SHA256=B480B17F20FE74188FD17C4445D0CEF322012FCB12E742CBDBE73AD4FB338767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056103Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:17.068{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082147AF76675656D355CAB36EA6EC33,SHA256=892CA34797C58CA61053151438F36B7E77AC2CA3A8DC80C765387FD8FCC6D5CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056102Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:17.053{8A88D375-D284-611B-B50B-00000000F101}14563732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000076542Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:16.281{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56496-false10.0.1.12-8000- 23542300x800000000000000076541Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:18.108{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDA5373FA701294D36DE5D917A53E53,SHA256=C3FED95B909BE574A9FD1AFACB597F44AEE177E4D888AE244F3218EA11EB9212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056106Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:18.803{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056105Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:15.615{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056104Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:18.084{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B854A788F2046AD0C7F837DADBA4080A,SHA256=26971FE2B739EB07E387479353F17294615589AD72A3EFB5CEE3279EA6CE6538,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076553Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:16.700{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-86.attackrange.local138netbios-dgm 354300x800000000000000076552Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:16.700{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-86.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x800000000000000076551Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.338{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D287-611B-A40D-00000000F001}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076550Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.338{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076549Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.338{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076548Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.338{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076547Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.338{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076546Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.338{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D287-611B-A40D-00000000F001}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076545Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.338{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D287-611B-A40D-00000000F001}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076544Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.339{2F630BB9-D287-611B-A40D-00000000F001}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076543Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:19.122{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1567F220642016292C883A21790AEC,SHA256=9EEAE5FB628A54600076DB60B13493819243BFB257F985AEB2CA65CB630F88D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056107Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:19.099{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC65DA5610A856EBE75B0F6ED3BDBE9,SHA256=26BFF16E681C4C4DA9133AA89CF0E4126C5313F0B9BD665B0BA8F384275258FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076571Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.773{2F630BB9-D288-611B-A60D-00000000F001}45805076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076570Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.636{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D288-611B-A60D-00000000F001}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076569Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.636{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076568Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.636{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076567Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.636{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076566Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.636{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076565Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.636{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D288-611B-A60D-00000000F001}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076564Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.636{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D288-611B-A60D-00000000F001}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076563Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.638{2F630BB9-D288-611B-A60D-00000000F001}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076562Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.137{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F530CE3EA850098F0A9AAA48004E791,SHA256=D320FB2AD3EF36EE189D2977BE3D0B1D151CA84C9BDBF195EEADFEA96675C133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056108Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:20.146{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A38EDA58BDA850C1F7BC6C9F197505,SHA256=9ADB1E7364A0CB79E9E442DEECAFDB2BE7AE88AFFFB7B612ED310BDD198944E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076561Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.022{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D288-611B-A50D-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076560Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.022{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076559Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.022{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076558Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.022{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076557Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.022{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076556Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.022{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D288-611B-A50D-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076555Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.022{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D288-611B-A50D-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076554Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:20.022{2F630BB9-D288-611B-A50D-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076590Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.872{2F630BB9-D289-611B-A80D-00000000F001}60205476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076589Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.735{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D289-611B-A80D-00000000F001}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076588Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.735{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076587Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.735{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076586Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.735{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076585Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.735{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076584Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.735{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D289-611B-A80D-00000000F001}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076583Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.735{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D289-611B-A80D-00000000F001}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076582Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.737{2F630BB9-D289-611B-A80D-00000000F001}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076581Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.357{2F630BB9-D289-611B-A70D-00000000F001}81002008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076580Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.304{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD2756C26B45E0DD7124B7AB82D8002,SHA256=A697929037C6AF624E76A18F51064E330ECAFC9FE875CDE441E5788405E2DFE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056110Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:18.271{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056109Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:21.162{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48188269F8E90618BB249A0555C902F4,SHA256=FD02526553581CAAA7ED226A4B3004D97935EDADF5A816C904E2A8E84D3248EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076579Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.220{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D289-611B-A70D-00000000F001}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076578Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.220{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076577Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.220{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076576Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.220{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076575Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.220{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076574Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.220{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D289-611B-A70D-00000000F001}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076573Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.220{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D289-611B-A70D-00000000F001}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076572Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:21.221{2F630BB9-D289-611B-A70D-00000000F001}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076601Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.492{2F630BB9-D28A-611B-A90D-00000000F001}67446704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076600Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.421{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-281MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076599Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.355{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D28A-611B-A90D-00000000F001}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076598Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.354{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076597Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.354{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076596Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.353{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076595Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.353{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076594Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.353{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D28A-611B-A90D-00000000F001}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076593Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.353{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D28A-611B-A90D-00000000F001}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076592Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.351{2F630BB9-D28A-611B-A90D-00000000F001}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076591Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.334{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4B63F6F9F4404FF9F6E07C49B0D370,SHA256=F0ACDA61F9580504A97F4A64F96AE8885B325E959E203574466FE06155716A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056111Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:22.178{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C60CB2BA8D33E660C216DA1137D051,SHA256=32FE88686ED8627C43C668280A263994A0608232999B907E52ACBDD7D231EB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056112Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:23.209{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304ABAAD6A4F12D2FE42AB0D5608393C,SHA256=C1ED2A0152FF03ED1835CA64475CDA9E20BCB7A9E261FA09D2CA29666783F929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076603Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:23.435{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-282MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076602Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:23.354{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7D1A3D976E34E3CD4A09B86127E6F0,SHA256=D7C26065E0CCCA3FC7B8A096237C20704BD76350C513A95DD2D21111838FF3DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056114Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:21.630{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056113Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:24.209{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813CF0196EB36C2DAF2C68C62DE95454,SHA256=65BEE5B4BEC8B481582AA004DCE471F5DF73023465CB00E334562EAE243DBBBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076604Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:24.402{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6F3B9232CD0DAD0E357C67A244EFA1,SHA256=D878207FE21E318B00192D15170EE2C0EAB14C530B540E26B0360DDCA466E460,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076614Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:22.191{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56497-false10.0.1.12-8000- 23542300x800000000000000076613Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.433{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99AF9D5134F1BFAE425829C3D93AFEB,SHA256=FB9B88152A34AEA366C7ADBE53297387E75AE8798789FD0BC3FDE93961FA84C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056115Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:25.224{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18117FFCE0DDB59C957986021D5F1A8,SHA256=71F8F571DD13DD5B6B61944B7E1925C1B10CFB99E3C37C4A052D7D6CACAB7C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076612Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.133{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D28D-611B-AA0D-00000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076611Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.133{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076610Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.133{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076609Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.133{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076608Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.133{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076607Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.133{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D28D-611B-AA0D-00000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076606Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.133{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D28D-611B-AA0D-00000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076605Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:25.134{2F630BB9-D28D-611B-AA0D-00000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076650Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:23.974{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56498-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000076649Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:23.974{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56498-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000076648Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.749{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A949910BEEF7EC3B3A6B95C65608BA22,SHA256=5FF539F3AC062F5E616E47B15D2CCC8EA04CBFADF963E12D02E59E68C8E135A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056116Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:26.271{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3595B315DE595854D7CA63ED0B2EAC,SHA256=0EE38FD30512B7813E8AF48FBD6119D17BAF930137C98B30249CA85E7334845C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076647Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076646Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076645Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076644Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076643Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076642Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076641Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076640Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076639Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076638Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076637Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076636Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076635Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2900-00000000F001}2984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076634Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076633Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076632Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076631Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076630Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076629Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076628Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076627Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.349{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076626Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076625Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076624Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076623Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076622Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076621Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076620Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076619Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076618Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076617Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076616Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076615Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:26.348{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076651Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:27.768{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75777CA468225DCA1A0ADB130957F4B,SHA256=E4360C0A793F36407EC44C448CD4E7D9129ADE2AAF018D2516E61A35B7ECE264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056117Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:27.302{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9E6DD9AB714E07915A2FE14B2D41B1,SHA256=9DEF56146C71B99F524FEC99E6F4C3143177358209A19F78338255E54EB9457E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076652Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:28.783{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB7FDDA061CD159D32E9204C3F4A704,SHA256=8D246F78193E5BE29FF598C12B31F801225FC9341555EA7B0F1D46DC929920FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056118Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:28.334{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEF7B9D2487ED5E19A8A2BC107BB4B8,SHA256=BFF0C468E9E8F988854545634874B5802B216DBF4B9B896BAB292466138AFD9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076653Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:29.797{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C339F576872444EAF9410B1BC89A84,SHA256=DBC61EEDB1B1A23CEA9E7E3A48B512936C1C1C387D25F06627FFE32DA03D6F4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056120Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:27.614{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056119Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:29.365{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584F40E4F78F2BF4BCAF3B9BF92AB83D,SHA256=13B49AE2B914E99833D855BABEB7CFC8F321752D239839CC39E07AED81DC2625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076655Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:30.812{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BC8FEE4A383309EFE6B9DD6B364F17,SHA256=CA65811BA8003C7CB66400BDE4104E4D6C62D5650A66E23F2CE2957C7E75B65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056121Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:30.381{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1834A82A68CA610F2061D57DDC2E6749,SHA256=A0DF435C72DC28EFC1485EBD65D68A50B0E7556B06D426AB64ACA231893EE098,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076654Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:27.291{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56499-false10.0.1.12-8000- 23542300x800000000000000076656Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:31.826{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A561C443F9705AAEFB9BEF97C828956D,SHA256=D5518820CE9681D85C17D81147B54AF513B2136AA4F52DCEFFCED0ECDFB31D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056122Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:31.396{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DCF3E76821B80EC06216F1AA2F4A03,SHA256=09719F4BCC2E22EAAEC4E6F8FA2A471AF7EF56D975B90445FDB21709A5FFCD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076657Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:32.843{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805EB417586BB3F7EEBF095C5A0CE247,SHA256=A292613355F7C4CA4CBB2CC03F4E4F5EF342E4A288A23288F26126A53891D3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056123Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:32.443{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B563F43ED18276823757A4AA427D33C5,SHA256=9A1A7CA39FA3B0D0B3F817F0BEAE479953C7D71AA7CCA7E6375148F42B2161A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076658Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:33.862{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21486BF2E1D1C83AF7C231C93A89647,SHA256=AC860E6CC7A5CA23FCCDAD4AAEF14BB6CF4238A6BCF69AACA3BD5CB827C9CA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056124Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:33.506{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59C01224793429D11BA27358E38E021,SHA256=186131FF232251C59FE006644C54A7FF4D0171827E6095871C0D87FC0E7D9C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076659Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:34.877{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED91690C21A4E5E36B0AF25862685F46,SHA256=24CD201F5FD0C4F68B89E92FEC484A37C40C6D973B85069AAA7E62182F774CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056125Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:34.538{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F967F56C46B108E0C4C1A5D7F89491,SHA256=B1711DABAC28C15C567A955445E8E68D70DFE6F3868718101BD453981BF0BA0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076661Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:33.234{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56500-false10.0.1.12-8000- 23542300x800000000000000076660Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:35.891{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7ECCA55C1ABA7B759FC59253A31009,SHA256=ACBD97914A1902C017776C0C416D9684CE2169EC12AE9BAFC77172603AA547CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056127Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:35.554{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350EDBD3D94D0F367EA7F5925431DE1A,SHA256=48841361886E178676B0B470EA6A64487A701299EA26953DA5A9D47FB16A9087,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056126Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:32.693{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000076662Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:36.905{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D286F7E43864B5743854212D14662C45,SHA256=8241E2459E48EA2CA30560835044C92F862990CC33EC3770CF471B8DB7BD5B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056128Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:36.569{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699D79C39B2443D621B14A274970C9A1,SHA256=79716C2A96D31CD69941BAB289565379F6D0CAAF81B91FA7DC787770D82A381C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076663Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:37.919{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D95D2E1FE878EC16A29BBEC320DF35C,SHA256=1CE45D496204DFF689FEBB8A0771DBA078CE2CD0AADFB3D10089FFC836700464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056129Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:37.600{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACD4950E4439D91855B03C28FF879BD,SHA256=83963AB805138BD85104FB9D655E4EAB78E925E1CE109EC8E677CE79907FCFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076664Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:38.936{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC82239E28115C252644D91BD1E38A1C,SHA256=AA7BA327C8C2FCD6FE99A4485D0264DC7F9B08E4A492697EFFCBF065F4CE7E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056130Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:38.616{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1FAF96B7B595F4A48092EAE40C6BFF,SHA256=A3CF964768ACA6257DAD04463BCF527E71D1FB881617167B6D452B64EFD41F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076665Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:39.954{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62E60702AE3C462FC361A8A6D06B0D9,SHA256=D41464332616C27CDE938926B6D0145E28D984DC33EB9CFF20824BEE6A9A5F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056131Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:39.632{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C91AD7CFCBC087477162CBF5677300D,SHA256=7266BDC1E8B0674A9AE6D72B07375C078DDD45A3723A7173CC02859D1A8411C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076666Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:40.968{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D661AC13EB21B078DEEAA2E659701F4F,SHA256=99F0E381506F3B7DD87000FD13F41A8E70E9119B8D0E5C6ECE65FD665D1522A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056133Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:38.569{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056132Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:40.694{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593E608A157B50FFC3875D9F7EDE1899,SHA256=CAE288B0195095B062115E43EF06F7E551C21A356B2A2BF505F8B58970442999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076668Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:41.982{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1918CCA57E588B11646DCDBBF5BED8,SHA256=444AA12E92A2068F98F37C0FEE2AEEC16570B2F809410E35FBDCDDD107BB6C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056134Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:41.725{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37776420B06208BCCFE86056D3A3D6C3,SHA256=1AED7012A4C95E6D9E340E7F53F549BA7F395D8C2AAF7B3BDA7A15DC7CDB5729,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076667Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:38.396{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56501-false10.0.1.12-8000- 23542300x800000000000000056135Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:42.741{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9EA8D3570BEF3DAD3624DA85A64C5D,SHA256=79E4322BDFB8334C796722BBD0126E5DA5A5437E0A71F85CC846127822885C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056136Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:43.741{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6104AB15EC2407F6CC2F4D2E8E5FED,SHA256=2A79FCC28F1B41BC8CC0E98C64609BD2B0B10E6332BA71406DE6642BD1E47F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076673Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:43.281{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35C862E99113C8E0BF464BB7DD79E81B,SHA256=41E076DA7B4DC2313F2D3FDB3F01BC9FB5FEB5FFDCEA7313787D4FFC265450A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076672Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:43.281{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F07DF9BF33C34A38C6D897E76F5A7822,SHA256=D3AC64EB97FEF5AF0BD861EC19E6B76461CB577A6C63661798FF8F2703DE75EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076671Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:41.257{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56502-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000076670Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:41.257{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56502-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 23542300x800000000000000076669Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:43.012{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E6CB692E5C08A54AD38D3A56ED33B8,SHA256=E5F346052C2F35C3858B9FD31617B60188636631902530C129BCBFA942256161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056137Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:44.772{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FCDD64CA608957A914FF0E69C6BB18,SHA256=AE3C30C3A5D62C587BA16FEECBD78E46F9984FEFA743B72D3F167A23A6A23F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076674Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:44.031{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDECCA277AEEBBC39C0C6714B7BEF05,SHA256=8D89CB3E52C9B3DD40B42D65723AF70A0C7FE91F6B4AD8B7EED5E6D16D6583A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056138Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:45.788{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A2E3D793B1BBED67FBAFE42E8EF6C6,SHA256=DCDB0669B43E697D4365E6BE259DD4E97CB5CBE10A50A8D8E98245E04C7660BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076675Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:45.111{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABC463F4498278D057F6E8A284D2BC9,SHA256=B70AFF730FB06699C793C16B637B7EE7DC6DACE38A54433DED36227E81393E01,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056140Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:43.569{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056139Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:46.788{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A0978FE6E0DB61A03F9464FAD5E842,SHA256=54F11489D3311335DD69BDEE881D8E9798C6A4E8E14507943F4E76A58B494918,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076677Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:44.167{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56503-false10.0.1.12-8000- 23542300x800000000000000076676Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:46.128{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0BA22D62E44F9C8533BD2E5AEB625D,SHA256=C4BDC7DD1E547FFBD7019550366AB95234D3642714A2EF190B8871BEDC152A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056141Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:47.850{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95244FA6AC3F8B63517E23E1C19DB9E0,SHA256=0206C8521AB292BE64A43644D8013B389263733078E97B70DD628E79693BAB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076678Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:47.146{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7BA423BC4012B8EA2FB2BC67CEFA35,SHA256=CC40E7AEB6629D5378FB5216DD78DAEBFC8549963919CE9529E637C5EA7CC0C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056142Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:48.866{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA17C56C3089196DA7170046C5D81D8,SHA256=0F8DE7998341C0292828ECA60A5F40B78F471B109954E57EC316D417542BA056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076679Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:48.176{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4399DDF4BA07179E0488CA182EC2D0,SHA256=168D98F6D37DB3D0D7D4FBA5D9992789B5387DEA9945E9194A24D3F530F91684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056143Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:49.882{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0CE5416125421FA0EAFB38E30D0428,SHA256=BEC4E285F5836FDB4FF482E98F362C8DB983F2110C9C0C2C892DF01F4F3CEF59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076681Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:49.191{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076680Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:49.191{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DB1DDEF0513922D99A2C94F453A7F2,SHA256=2102AA2194610B86409313CD5DB2CF4D15797ED25537D1820988D7694237180F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056145Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:48.584{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056144Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:50.897{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9505EC7B66B741DEB76AB6C07C486A,SHA256=2C015DE4E58EC53818A686FAA1DF1688A3AAF05A9480A1DD784A8C505CFED34B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076683Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:48.331{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56504-false10.0.1.12-8089- 23542300x800000000000000076682Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:50.206{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45E12F81E307CA07D1C27EFE5F21D1E,SHA256=7163B766458C655FC6D507BE983E18FEA63EDCA3CE0B61982B4216D97DBB941F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056146Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:51.913{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636A08B109F383C1F6C186A956A4CE15,SHA256=35740C7BCBA52E403DD1E52EBA106D3116E02FC0949578EFFA29B29FA7FED4B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076685Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:49.215{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56505-false10.0.1.12-8000- 23542300x800000000000000076684Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:51.223{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7381DFAE2685860FDA3F613695F24F,SHA256=2FEDB61112F7C6784CEAF117684F9A42BCA431D27561F17063FF0A0C5D0DDB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056147Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:52.960{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E3791A797A980A5FA8B576B3DC0E7E,SHA256=06C378494E45C1367C6AEA027BA0601CE53FB1E21F14F82323F9E987E9ADA3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076686Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:52.241{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA4B6DBB76B6EF40F9F4430BDE7B35C,SHA256=9822E2089A6F231F256A1BC28A2E10C7CC9004736F9495061F421288397E970B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056148Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:53.961{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FBD37EF1CEEA7874E3665025980E86,SHA256=C4D3FB63FE6A9F03B48EF2DD82441EC1C03A8797C9689112A1103E733D144D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076687Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:53.256{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FB2176D136029782D54BEF95FEBDED,SHA256=D7B5595E29EE54ED5C974F37E6FD05A254457C47CE965B08B10C9F39AC71E897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056149Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:54.977{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0532D15CDEA4ED7E18947DB38AD10B,SHA256=A019E83B5ECB6907876EA649120B36A8AEE0DD1EA6D6BB4303D327346CF7653D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076688Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:54.286{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309D51DF3CF82FC6D28D26AC569D0C5,SHA256=0AA0D70417B00BD5A7EA493CFF9E43123514432A065112E5012E7EA6A55E5041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076689Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:55.301{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766630316C135DF51179DC22B9B6A222,SHA256=74FA3A72339604EF879A59459F8AFA5C71DC8E5290558FB7FD34400BAFA96272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076692Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:56.537{2F630BB9-8EB3-611B-1600-00000000F001}13043976C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076691Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:56.537{2F630BB9-8EB3-611B-1600-00000000F001}13043976C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076690Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:56.318{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B8320DD67EBA23A060CD0FC675838A,SHA256=C96C31E8BE3C189DDA77BD85DD93AFFC1FF14C04323C686725722257B5872B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056150Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:56.055{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED65C8B3C314062368525563FC221432,SHA256=89B499490397C151A9A5F42B3848C743861C2332A22CEC16A93859B2FAD6C0CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076694Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:54.241{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56506-false10.0.1.12-8000- 23542300x800000000000000076693Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:57.337{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F260F33FEC6CF67545251C59E94A9C1,SHA256=24F6CD8522997C40137B399521B75B67B5514CF4620FC07F8119BE04753A28BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056152Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:54.570{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056151Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:57.070{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758849331C3D7B1A8B378372D39B51D6,SHA256=1E62A4158FCB1DCEBBB18DD52CE8CFFF251E4BF2AF2EB72CB80F3A38635CEF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076696Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:58.714{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F87B16E1A90802D07B8262971FA10634,SHA256=9AB7BA4CC7C0A537B234AEA16A6CD3F711F26E24465B696DFEBFEC2786C34C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076695Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:58.352{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECB88416233617BC0EA61B1EBC7E257,SHA256=455F73F62CD4B81AD2FD65068775ECCC0FB7DD3F89F0B0ABE406908285390C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056153Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:58.086{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C421BBE2679E0C94A930C8FF8C4805,SHA256=61B2AB46771EAD0C071EF0D61F76ECD8CC3C0ABB1D98D8E073F5FCE151F132ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076697Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:15:59.382{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4A665A7F7C731B7644FC2D381FAC4A,SHA256=753548BBA8C3441DC62DA83591813510A2DBDE8346E4AB7D098C95B5F01045A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056154Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:15:59.102{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F134EE56D1AD0522280B1C0AAAA2A2A,SHA256=8A9D6D3000F0E26564B2EA2522D4869BB4F9DAD228F0548AEA7FEE1CED9854AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076698Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:00.414{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EA74EDB2996789755B1AF2157D1937,SHA256=2F64F20DF54088E2A8D9C559946FF1C1147BDF3C09A2CD39ABB349D8454BB7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056155Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:00.117{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4E7ED924E456B11F64FB0C7C039E07,SHA256=01592F3A77E5C8BDA3E467FCD02D26F1497761C750F22AEE0BC622235AB444B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076699Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:01.449{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79216B629CACAF0541C55A2B695D9351,SHA256=8205E394D3E61A8DBCDEE3E6BF6C8111B340EC41551B076BA21D3F3EBF842C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056156Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:01.133{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B654813A47918C43BD39A0F6752097,SHA256=C7A788B9EB7BBE9730D07064048775E7E57A08A4C7B494386AF15660BAECE901,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076701Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:00.236{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56507-false10.0.1.12-8000- 23542300x800000000000000076700Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:02.479{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC9C3DCAFEB155324F21ADEB74EAE5B,SHA256=BD5A20CCFB12A1211BDFB8A19BC7CDC9B1CEF3896E93AA0E67D248D874B5C186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056157Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:02.149{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B985ABAA9F49147A3279CF9D2D7FEE83,SHA256=7FA020FC3AEDEBEBEF5E1F624E6C7EC0BABF1FA3CE7790CC2FC8165CAAE2DDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076702Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:03.512{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E266EC5EB8FA9DEEE253B5242F80E1,SHA256=88D0FD697D6824A9624126DC029C8AF1F658D6AE231C40401FCBD3C9B0DFC09D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056159Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:00.601{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056158Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:03.149{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE39A7B879BD98B7D49BA2D74F01352D,SHA256=630D6DD855EBA44341EE933AAC0BFF636C7ED3FCDD5293407EAFB7E294662118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076703Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:04.545{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85839262D1D3CCD237BFFB344CD90BDB,SHA256=7C0641AE7E52FABAABB313F55EC514BC3BA14FAE0B5AE89546549A54DFB0EAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056160Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:04.164{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3822E1A44F3359CC28F9ACF08A81AD53,SHA256=C37AAA9C59EA511A376F5B7701BA9D3E6886A4F60517524852D8A47053CC0F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056161Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:05.180{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC3D31C78E88945D544C4F303F35EEA,SHA256=DBF223BA49612D27EC938A70DD869DA3AFE8E01988958899BA97D1DA3CB82883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076704Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:05.575{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788AF24C6D0B98514E74B8D912FB5544,SHA256=ECD27A28B88502BFC3C781F0F38A932D595AF0A7C9CD0F3F1C7CBC5F7EB537ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076705Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:06.607{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BF35063E56A82415BCB74D72BB78E0,SHA256=22A2712FB64E5ECED8554A35BC452D0A8052314BE1BA358CE14CC0A874AABE87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056162Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:06.195{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AD7B201BD163AEFD7AEC3762882E80,SHA256=2B9463EE5881954F4922F984D2BB9F86E72E93F8616A09B722605BD516043E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076706Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:07.642{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886FEDA3D1149D1039A9C6C2D9DC9AA7,SHA256=60B591EB2984622DCAFE8C3BAC7934D1408237DF8E3C212F4CA1EAFDBDD52CD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056164Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:05.726{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056163Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:07.211{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606C6BD0D07E70EDE380903BC9FC30BE,SHA256=B12ADC880B85C9D79AD7ABE98D5B5BC57DF29CAF9F0612C4DC8A4921577E1B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076707Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:08.657{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBCCCFA54CC52C5B0DC28CCDE45FC06,SHA256=2ED9884C544A4A04BB72376E2D2332691CC5BB43E08B6BEF9794F34332597C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056165Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:08.211{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8D8750407C01E56C4B74E870E25244,SHA256=B1D281FDEB16EFF93BFDB0CA34CDD434EB76538DB1678775A03033193060F300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076709Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:09.672{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFF191378CB6BD01F3D03898367D285,SHA256=9BA49FE1A387B37C968E5F57E34013B0B7E3F2EDF002EB3EED552A050B18C03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056166Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:09.227{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE6C5C7B63A6F8B8219CEA6AECF445,SHA256=7908840D6F1766C1C65AD8921FD4BD4B7BE313B59877B73C328E56E13E68C95A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076708Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:06.198{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56508-false10.0.1.12-8000- 23542300x800000000000000076710Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:10.704{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512A9DC664CB31D0ED2F108761F4085C,SHA256=1E4C1BB064F3DBE8C54A0626BB3033090A512025E3175FA0D5D3396853EE41A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056167Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:10.242{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C06CDA45A056D5D43E9CAD1FF5CE7F4,SHA256=2998BA0D6F366673C7DE32551CDC509989F754E6A3BAE107320317470EC2C42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076711Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:11.738{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98327CE83EEF953B980DF22028E73CD6,SHA256=D92F12509562D7A99C3198DA018835C1DEC6BAC42075F40063FCA875C0BFD2E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056176Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.961{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2BB-611B-B60B-00000000F101}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056175Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.961{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056174Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.961{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056173Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.961{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056172Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.961{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056171Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.961{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D2BB-611B-B60B-00000000F101}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056170Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.961{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2BB-611B-B60B-00000000F101}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056169Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.962{8A88D375-D2BB-611B-B60B-00000000F101}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056168Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.243{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320F79CAD074BD41DF6BB243BAB78181,SHA256=CE44EBCAD7735DA7975207E85A575A773EB9705A268125E01B4E07CC51FF1081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076712Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:12.752{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C86A5FD9BC097AA43761162F07B739,SHA256=93B243805164BF9CBA3943B13ED6DCEFC401FA3599F4E93D237BCA5D39CA68DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056186Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.978{8A88D375-D2BC-611B-B70B-00000000F101}42642468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056185Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.711{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2BC-611B-B70B-00000000F101}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056184Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.711{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056183Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.711{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056182Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.711{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056181Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.711{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056180Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.711{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D2BC-611B-B70B-00000000F101}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056179Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.711{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2BC-611B-B70B-00000000F101}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056178Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.712{8A88D375-D2BC-611B-B70B-00000000F101}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056177Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:12.258{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59F42F597D1001FCE2AA0BB283CB628,SHA256=DEC38E1AF3724AD1DA54E3D8CEDF968319DAF0313FC35AFB510813BFE00619E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076713Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:13.767{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83271E65912E929B1A6F1BA1470C51C,SHA256=BA72A29B85C8A776528B821CAACE7F6D64141B1A981B9C91366660E74EECE44A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056206Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.888{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2BD-611B-B90B-00000000F101}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056205Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.888{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056204Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.888{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056203Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.888{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056202Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.888{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056201Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.888{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D2BD-611B-B90B-00000000F101}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056200Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.888{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2BD-611B-B90B-00000000F101}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056199Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.889{8A88D375-D2BD-611B-B90B-00000000F101}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056198Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:11.538{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056197Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.527{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0B85BA8C20388730948E32538B5DD1CA,SHA256=B896096C01B23486443D157F402DC4E09BAE94F2410A3613C3E3EE7DC64B303B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056196Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.485{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-274MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056195Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.259{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8086FCBE9F34A26B97438989BB6B448,SHA256=D0C3A5D3CF70E237B132EAFCCA235F052ABA18F8927AFB9BE0EA3A3BD18732D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056194Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.212{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2BD-611B-B80B-00000000F101}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056193Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.212{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056192Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.212{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056191Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.212{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056190Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.212{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056189Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.212{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D2BD-611B-B80B-00000000F101}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056188Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.212{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2BD-611B-B80B-00000000F101}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056187Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:13.213{8A88D375-D2BD-611B-B80B-00000000F101}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076715Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:14.782{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C48095565A24E07B62512D50999B2C,SHA256=0AE76AAA4B3436B6057DFE1160554DEE33786904177552D25D53CAA4C99795AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056212Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:14.793{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056211Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:14.793{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056210Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:14.793{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A2-611B-1500-00000000F101}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056209Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:14.483{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-275MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056208Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:14.263{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18ED365D4FD86A0F8538B2A9C7728BA,SHA256=784FF4B59DE864AD0BD8F9CD1C3847992387F9BD85EA03D2AA02CB95045870A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076714Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:11.225{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56509-false10.0.1.12-8000- 10341000x800000000000000056207Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:14.076{8A88D375-D2BD-611B-B90B-00000000F101}50364736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076716Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:15.800{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5992B68966008F4400818AAF99C6C8AD,SHA256=D028CF71F9C26DA79B4B31DDA731069BF19E518FDD928612AD6CAA44FE774D8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056222Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.890{8A88D375-D2BF-611B-BA0B-00000000F101}45683172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056221Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.703{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2BF-611B-BA0B-00000000F101}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056220Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056219Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056218Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056217Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.703{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056216Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.703{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D2BF-611B-BA0B-00000000F101}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056215Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.703{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2BF-611B-BA0B-00000000F101}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056214Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.703{8A88D375-D2BF-611B-BA0B-00000000F101}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056213Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:15.265{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5322CAC2040E6C14D588E7516CE5AE,SHA256=37179672F2D54AEB976F962A33C1FF99DCC0D273D3F5E3D28F04589AC507306E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076717Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:16.816{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E5B36FF19F59E4691589C96A7D5AB3,SHA256=A07AFAE0C82CEB0A772752731214E9E99F973F0EF22A52F9AAEA4806C86373E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056232Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.546{8A88D375-D2C0-611B-BB0B-00000000F101}46404872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056231Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.374{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2C0-611B-BB0B-00000000F101}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056230Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.374{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056229Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.374{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056228Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.374{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056227Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.374{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056226Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.374{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D2C0-611B-BB0B-00000000F101}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056225Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.374{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2C0-611B-BB0B-00000000F101}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056224Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.375{8A88D375-D2C0-611B-BB0B-00000000F101}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056223Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:16.281{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581FC2A17B1ACD0D8805365749A1073A,SHA256=CAD592D1F949A6DDBBFA6CDB8897464708FA5BBCB700A445EFF833C28C0E861B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076718Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:17.831{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE647AB35FB4612AA81513BB25A29CE,SHA256=878326FF0C0F223C51B736274889CE768823E73735EBA9235ECF5F0117D9BB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056241Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.296{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FF3355921EF5EA3C9292AE0DB13FCF,SHA256=55193CC04B2E134FF72ABA30832329A80DD81E225E2E0FDB243678F788EBCB6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056240Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.046{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2C1-611B-BC0B-00000000F101}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056239Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.046{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056238Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.046{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056237Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.046{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056236Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.046{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056235Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.046{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D2C1-611B-BC0B-00000000F101}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056234Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.046{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2C1-611B-BC0B-00000000F101}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056233Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.047{8A88D375-D2C1-611B-BC0B-00000000F101}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076719Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:18.845{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82288D747582CC9998670D6135D4105,SHA256=A29EB847253976F54D42D2E65558BD0AC1F6D3FA848012667C09966E7964A53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056243Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:18.827{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056242Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:18.312{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F0F29E6E5CBCE5AA921290EBEF8BDA,SHA256=7281BC0AE46619C471312EA0C8F6811A783B722F9569094D61B2338625CAC56F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076728Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.860{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0E36E6EC4D6A0C42900A9FE462AFC2,SHA256=30E2BF2079E456C02CD68DE4F0BB2AC07FDCD8DCD9C26A3A476B254DC3D7B5A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056245Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:17.577{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056244Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:19.374{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40F9F48E1B24A0C6D1B287F1C1B6552,SHA256=2AB5E993C485E7473F9B144F7248D763962DE3EFFE6F387BACA161E21AFA9DCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076727Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.345{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D2C3-611B-AB0D-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076726Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.345{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076725Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.345{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076724Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.345{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076723Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.345{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076722Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.345{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D2C3-611B-AB0D-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076721Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.345{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D2C3-611B-AB0D-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076720Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:19.346{2F630BB9-D2C3-611B-AB0D-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076747Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.875{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DA7C9A6AFAF348C64DF29F8EE50DE4,SHA256=660725D010661D0A7EFB8E56D77A9AF4A270686053377AF1DF4CDF8397E18011,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056247Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:18.296{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056246Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:20.390{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8870E247A871103E9C154AD997DE23,SHA256=3D7396825A49E2E68C95BCF8501BABD03550C97ED58BBF2B017E37872DE2606F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076746Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.843{2F630BB9-D2C4-611B-AD0D-00000000F001}35806116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076745Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.712{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D2C4-611B-AD0D-00000000F001}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076744Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.712{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076743Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.712{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076742Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.712{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076741Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.712{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076740Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.712{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D2C4-611B-AD0D-00000000F001}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076739Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.712{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D2C4-611B-AD0D-00000000F001}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076738Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.713{2F630BB9-D2C4-611B-AD0D-00000000F001}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000076737Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:17.237{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56510-false10.0.1.12-8000- 10341000x800000000000000076736Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.028{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D2C4-611B-AC0D-00000000F001}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076735Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.028{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076734Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.028{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076733Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.028{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076732Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.028{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076731Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.028{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D2C4-611B-AC0D-00000000F001}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076730Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.028{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D2C4-611B-AC0D-00000000F001}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076729Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:20.029{2F630BB9-D2C4-611B-AC0D-00000000F001}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076757Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.894{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C80BB157E97293B55D9AF2139E95CA6,SHA256=0006AE4A0F8DC22735E4889A15A25EBC8406A1F47447F846984B5CC279393D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056248Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:21.390{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EB5D32593CB4475BFE4A8B0653384D,SHA256=8B544EE6D777CB8C328C632007ED2CC1829EE78CE833F51049FE3E7ECF115AF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076756Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.527{2F630BB9-D2C5-611B-AE0D-00000000F001}64883752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076755Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.395{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D2C5-611B-AE0D-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076754Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.393{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076753Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.393{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076752Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.393{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076751Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.393{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076750Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.393{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D2C5-611B-AE0D-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076749Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.393{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D2C5-611B-AE0D-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076748Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:21.391{2F630BB9-D2C5-611B-AE0D-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076776Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.910{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9FA4A52A8D3EFB3DBDE5432CB57B66,SHA256=C3B01338F1019A6604D26903CDC5860D03C9ACADDF0AA58D8F538DF69660B5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056249Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:22.421{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD623654D159C2418443CD29273E3A3,SHA256=4ACD3CDE153D80FDFB2A81C2D181AC5220F1A47A2029CAE6B586AD4FBBE0EFD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076775Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.841{2F630BB9-D2C6-611B-B00D-00000000F001}43284132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076774Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.710{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D2C6-611B-B00D-00000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076773Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.710{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076772Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.710{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076771Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.710{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076770Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.710{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076769Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.710{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D2C6-611B-B00D-00000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076768Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.710{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D2C6-611B-B00D-00000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076767Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.711{2F630BB9-D2C6-611B-B00D-00000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076766Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.173{2F630BB9-D2C6-611B-AF0D-00000000F001}49087296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076765Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.042{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D2C6-611B-AF0D-00000000F001}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076764Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.042{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076763Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.042{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076762Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.042{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076761Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.042{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076760Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.042{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D2C6-611B-AF0D-00000000F001}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076759Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.042{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D2C6-611B-AF0D-00000000F001}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076758Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:22.044{2F630BB9-D2C6-611B-AF0D-00000000F001}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076778Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:23.958{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-282MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076777Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:23.925{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3160E48EF6CBBB6D86F53CC69089C34D,SHA256=3D321F591CC187E8AF7592D8B5C0C5EE68C3B0DDF92E74D6A54B38839BEAD4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056250Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:23.452{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC169D2F0EDA1E036603D82C9DE7483,SHA256=1A322C55D294E08BB9DB7626EDD14AA0506DCC6938B5AB8E0AF670DB5875C634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076780Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:24.971{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-283MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076779Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:24.955{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1041CDF078208E857181ADF25C2944,SHA256=5034CDB79C0B290C58306776B47452E5957E6E808DB3CAF79CD9F9DB0603EEA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056252Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:22.592{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056251Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:24.452{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAFF85B4012F7C88E99232DFBBD27C1,SHA256=9D3C7C8F5E3A252D5F32DFDF4888F4EB14849CC79750222C7623852F49C47491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076789Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.969{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE08ED57E15DA7084F02D48A07FEBF6,SHA256=7B843B614764FBA6848A476EF6AF5A336AA89E922ED6FCF4F0A33A8B48F990CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056253Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:25.468{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2656C3A2CF4244CC32138F9E3DF822,SHA256=07F4F543B3B9FA7774816345DAC81F60A97837E6DC58EDD99952219C830FA4F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076788Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.139{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D2C9-611B-B10D-00000000F001}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076787Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.139{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076786Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.139{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076785Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.139{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076784Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.139{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076783Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.139{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D2C9-611B-B10D-00000000F001}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076782Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.139{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D2C9-611B-B10D-00000000F001}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076781Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:25.140{2F630BB9-D2C9-611B-B10D-00000000F001}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076793Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:26.988{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F43E7C316428C717E0180B2D055ED4,SHA256=BCC613646054502B7F761D9238AEE9815CC0CC9055BAF0564164C6EBBF38308E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056254Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:26.484{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD424210B06E3B259EB13C81BA45093,SHA256=F74CE5864AC375500F70CAFD03D309D44980A74A0370F4C8D1CE854F54C3525C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076792Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:23.980{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56512-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000076791Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:23.980{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56512-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000076790Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:23.197{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56511-false10.0.1.12-8000- 23542300x800000000000000056255Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:27.499{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90C478A94883273DD972B98A179ABBD,SHA256=9CFAD80B8A63579965CB70129BB9C7E3E9DF8AEE044E2DA90E6D57AA7CBE6C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056256Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:28.515{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD5C5C8D5AE9C2AE0C1A01D2781C99D,SHA256=9547A186BE446075D8E4A4088236C0A45FD61AFC60CE6B3D057D3517162E5BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076797Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:28.052{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076796Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:28.052{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076795Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:28.052{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1500-00000000F001}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076794Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:28.005{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE7497296EC040B33F694308CC9FD16,SHA256=EC8CB43B6616926FC555F53FA3270D3E56CB2117B5B34FDD7C249FD3C8E4B00D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056257Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:29.531{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87123BEDBD03B4C805C197B16C88499F,SHA256=119BF32515B3ED5D0307A8919B880F4BD1F6ABD728854AF8EC8BBB49C61D92A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076800Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:29.634{2F630BB9-8EB3-611B-1200-00000000F001}4041876C:\Windows\System32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076799Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:29.634{2F630BB9-8EB3-611B-1200-00000000F001}4041876C:\Windows\System32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076798Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:29.035{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03CDA996593B3B4D02C6E6C6030981A,SHA256=B595BAF65698F02786EBEB36B48437D9EBF3FAA7106593CA81731E10772F1833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056258Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:30.546{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58076F1C71AC9EFB490573D78D1CC789,SHA256=D87FC240CA39FD5F5F6BAA0C34367BA84440FB120F7887BD68ABA2759A49ADF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076801Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:30.065{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2ACA4232F2E33E2A12CF8E65800040,SHA256=24F4FE4C601608218E896F9D8066E59A0514F451E7B96472DE8933E5CC9EAEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056260Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:31.562{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A37C2E29EC50507010EF2CD59AAF9F,SHA256=56BBD16473B215D1E8F892A8CEA1CDBD5796F8A539023B6B8EEB1C178ACCF50D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076804Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:29.205{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56514-false10.0.1.12-8000- 354300x800000000000000076803Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:28.789{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-86.attackrange.local56513-false51.103.5.186-443https 23542300x800000000000000076802Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:31.086{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02874532394B4CCA8F18FA41B8E81ECD,SHA256=0676D1FA5A01E533AD880201A45E6134D3A5F6B3E62C56154D253D57CE6E03B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056259Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:28.561{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056261Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:32.577{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6491679C27472915037C862D4E3978,SHA256=A31C7378CE75E97C34E11D0E8F4BCAD4D152D7CAB2E7C7C33CFFD6612A5DF9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076805Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:32.101{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5467FD266C34FA575944DE97875AAAF8,SHA256=19A7661B36F1C099B621342C93F7D3AC84BF36970DACC0EC6291576232299F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056262Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:33.624{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E134D4B5820F32636BC95DA7F899E7,SHA256=9A7B608D0B1F1862FB04420F5127032DD17A23CD348505C43998F9408BD5109D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076806Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:33.131{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74926430C54F0862F4DB271E298AE73,SHA256=DA23DC1FB445759AB40B6E57D522021E45A1D9BCD612652D037480C5EEBCF85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056263Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:34.628{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20FF3EAB64A177AC8AF91DFF2B88446,SHA256=9A414F71D2BCAC7E61B1F86BE9360DCF1FC4B45B998E74A91AE3DB71388B6BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076807Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:34.162{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14791AE179B458C76C407183B54331F7,SHA256=60542C2823B0D8A476090CF54182222ACA834F3B70D1FAF2094EB05B748BD121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056265Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:35.644{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEE24C0F6B4F10BA248E4821F76A801,SHA256=6000C1DE60F5D7F4AC7C2D38FE79FA59B5FD9F62002B4D9629B24727563E8A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076808Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:35.181{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026AF379355E69411731DFC73946832F,SHA256=EB7A95B7A4525A42AB65AF409630693A5BC0D8849C822EAD9ABF3F98A68741E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056264Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:33.611{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056266Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:36.675{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71868D0DE4F6C45C71CF944666D965E0,SHA256=7D94F3AB6B913E187F342F2FB06742D9F2FD1866C8FEBE8FD04C032A9C5B4F34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076810Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:34.338{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56515-false10.0.1.12-8000- 23542300x800000000000000076809Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:36.197{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82068914C8B0DBDE3FBF0FF5EDA0143E,SHA256=0730D1539C81E5187EDFE933385673A27D41B44452B9AECEF9068456D54C0D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056267Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:37.690{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B12E036265F9A0F6A47762B023BA5A7,SHA256=4D2A6F5D9F330D4B17CE715CC7527FF4B12DF9F7AD343306E8758D15E8B4B602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076811Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:37.211{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B2C5DB804F36C76FD533EBFD881CB9,SHA256=65677148724F96B3A3C43EA743C300C232475E31E7863FE6778A941A4F49292C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056268Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:38.722{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2071A8E30BCCED377630B8323A7756B0,SHA256=C7432758D10CBD5E8585A0D22D6D2A6ED7A38E0E61D85AB5DE29E52C089B85F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076812Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:38.226{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC4B0AB6B42CD64E99CB965C445B90D,SHA256=567265F19CF30695082010A4079AC739C8F30E93120BB2F616107F59C11EEF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056269Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:39.737{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FA49D22DF4DC713F96BEA4395F36D8,SHA256=61110FC40C93226FAA51B124629360DAE240F0BAE3899DBC3E639F0290102E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076813Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:39.240{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784F698A147A2E25D3933A68500242DC,SHA256=B8566DCAD8CA271EBB3CFA4F9929E34023207DFF755F652E4737B03EF006CB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056270Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:40.753{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21C62E7B4999DE5DEE3A35068D07128,SHA256=BDFB29E6D6F723C4109DCD85386770C462E628096C5FC54B9BE6247B87314DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076814Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:40.255{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F035807F619317B3E3540114C9CB8B8D,SHA256=BF4CD5875A1F288AB67683FFB7D44D4DE9F24F108D32B3F713AF1D9BAAF980F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056272Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:41.987{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEC36E9C500DB5F5989DF5C95F96A7A,SHA256=328DE241CC02F404CB71787EF4BC2F4C31AC93408E3DEA6FDB83CD2947E35697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076815Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:41.271{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E4D2F74F36F3952FA92311C30F73B3,SHA256=5C3E71CB52A1F374B77DFF8FB087531EEE6207A4CC5A2CF98C73EDEB5C3F42CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056271Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:39.580{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000076817Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:40.278{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56516-false10.0.1.12-8000- 23542300x800000000000000076816Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:42.289{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3CAF94C9703CE3615F1AFE3B7F888D,SHA256=6DB8860C981A20DD39C06A5B3BE20ACAB98AC4C1B36BFFE5AF4B52D2F84B011D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076818Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:43.304{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A508E1B1D97E83A29ACB5B9FB856D62,SHA256=EBB4DA64EA555B4D8F9A3DBAEFE3D719D5B9889A5B78C9B21FCC4401BB8B1022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056273Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:43.018{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B5BB2C8630BFE2AEE0C5CDF2E5175C,SHA256=09D76E3020F366398B268973BB796C85369DBFA64663C8BECF5327960A272D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076819Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:44.319{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CB69A0B2E2AADB0CA2C6460AD206B1,SHA256=5265A0BFBFEFCFAD51D1561ECB67B760806611E77FA148E19EB90C7302E02ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056274Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:44.034{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858D1D80D600B75F23DABDF9FA2C20EF,SHA256=E8A2923E07FD436761A04F7CD0A431F3F183ED4A7F314E384FFC67660947A10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076820Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:45.348{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187909D903E0DFDF0AF272947757AB44,SHA256=06363918C4002904D818ADA35D07DEBD7870DF7871CF82065C6197600085C4ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056275Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:45.034{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C969D5155F4E4404FEE7F7A4E40285F2,SHA256=1BE1A46BF3E46F9B031F2A38FDBE41FF74B4AEB73908F9961619BB3F85AE966D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056277Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:44.689{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056276Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:46.065{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD26EC11A4FD4A5865296326AD714E1F,SHA256=80681258C73136CFC637016456205DE4F80C9A53F64B973B9C1B79DD6A16273F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076824Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:46.366{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2361C85C890909F919C122BC56CD179A,SHA256=A8B2B81BBC2F7E2C08FE35B34EE6E8877AFEBD629A170B8C8B99B3D9884FC749,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000076823Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:16:46.284{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000076822Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:16:46.284{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EEE851C9-D76F-4DC5-8941-E56B2E5B48D9\Config SourceDWORD (0x00000001) 13241300x800000000000000076821Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:16:46.284{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EEE851C9-D76F-4DC5-8941-E56B2E5B48D9\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EEE851C9-D76F-4DC5-8941-E56B2E5B48D9.XML 354300x800000000000000076832Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:45.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56520-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076831Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:45.445{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56520-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076830Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:45.440{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56519-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076829Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:45.440{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56519-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000076828Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:45.426{2F630BB9-8EB3-611B-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56518-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 354300x800000000000000076827Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:45.426{2F630BB9-8EC0-611B-2E00-00000000F001}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56518-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 354300x800000000000000076826Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:45.388{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56517-false10.0.1.12-8000- 23542300x800000000000000076825Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:47.384{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BFD12DE4A3B752233EC142F624F4CE,SHA256=1DB199CE40BAA529D74F2DC443C30075C964799085761171660CC6CC3B6A9707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056278Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:47.081{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66ACE82D7EC9ACC05F4B972E5112A34,SHA256=E578D4AA98700BF242C222F3EE38C18BCBF9DB656B2C2A86E80B1BB641D91B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076833Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:48.398{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86D7540E83F56A98583B3FB6E42A36E,SHA256=9A563EB61E3E1DFC162F5FEDD6538CE5A426E395CA7DEBDA5394C84F1DEE0E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056279Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:48.128{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D3AECC65DEA99F19F641E13ECB50AB,SHA256=0FCB66AB2E64AD13156FE05AB9879B7498931B3CCCB5A631FC860F0AFABA3286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076835Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:49.413{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3D11BA17E088A6864A1AB699C34F55,SHA256=28E38F059DA244383C19B27231A558DF2FA5A3DBC4820BE2C7BCB01792878B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056280Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:49.190{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1802CF262301DA4A0C02E9315719920,SHA256=CBE9B0561323581C84BFBA4704EC8AC9FAC692A48D7E72DFA6A5E95C1322BEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076834Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:49.213{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056281Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:50.206{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF8327485A0E0B3814E0BE2BF0E88A4,SHA256=369D6369867186781445EC3D4F0F5810B2F57C7026603D0426F0F28E38F05239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076836Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:50.427{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9F2C5996DD11D02CEE35E0FDF97E9B,SHA256=E9A1147664F582A825AEC80290DE09F91ACB193D308DAE62D877BFBF37970B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056282Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:51.222{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FE6F9D723EF15C681FBC70BF57602E,SHA256=FC74E88078EAF27FBF3BA954073895ADFF31C2DCE1BA22B55BCBEBCC83865E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076838Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:51.442{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B00BCDB1988388927DC18A78E2887C,SHA256=4E55441A3E857780DB2C6B1E4E5707653421D6A32B7ED911F924E8726C7B25CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076837Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:48.338{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56521-false10.0.1.12-8089- 23542300x800000000000000076839Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:52.478{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47E0F48927D0EAA8599A8439BD4B3A4,SHA256=9475364755346E16DE1B548C3A80FACFB80C3EF8E6CDFE652AD3352B52D63491,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056284Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:50.596{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056283Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:52.237{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AC390C31E6A5E1BD7A39C3F9D041DE,SHA256=1F7223047B7C7831816B8688EFE2ADF2DE6A78FF8B2D8E2703BBDF48AC03CF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076840Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:53.508{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1AE731B4B0B77699181BEE4E1FF63B,SHA256=64D40E3DEB754C2D06A75839EF43DBC01D08B7464F4496A6A5B074397BAE941B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056285Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:53.268{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0099FD65CDE86E70F1F714907396BA,SHA256=F907E9A228CE55D82343A2B201B06C300B49A965CF1DFAF519636C8A7D11DB67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076842Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:54.539{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992DA95BCA92EBAC10E2B354865E1BC5,SHA256=AAFA66CB372352F4E0EE39AE23C5DEFA28EC11AC72C6D336D003CC1887A1CFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056286Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:54.286{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766CB3C73B7E77D462803839C4FCC474,SHA256=1A6885ECE660731ED4E9822C079F20ABF9A3224C046B99AAFC85D6C31A899A53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076841Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:51.282{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56522-false10.0.1.12-8000- 23542300x800000000000000076843Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:55.575{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5761BAE1864EDE6006BBED9DD51EA46E,SHA256=F9AE8A33F81DB3F4CA199913E7A290F3A411E0A20ACE6FFD058E5625167D231C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056287Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:55.301{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0D77160D08CA7882DC28AF792EB89A,SHA256=FE049D691412EA284B3FD7181D3B6B9A736DF6821CD644EDCE0F21B68B413ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076844Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:56.605{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4962E1BD5F2B4733E9086084EDE87FF9,SHA256=DEBCF1DD53248D74171A55952456A52A7B1E2E04EC3BCC4B26DF33996D2C462A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056288Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:56.317{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795DF534B56BE3F6477DD094BB37F1C5,SHA256=69165FBA2535AC824C0705D6426D43E245AA38AD60F9876247B60725CB546D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076845Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:57.636{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7DF9577026CC97284CF55703EB110A,SHA256=F9BB7916F1DAFE178F47E72CA2DF1D0D30AE3ADC965647EF2008B52173CC225B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056289Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:57.348{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23C71F44023818795DF961FEBADCC9B,SHA256=1DB315068465F751A2723E08D468884E7B7AFB08EFDCB53358168B897C1A2E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076847Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:58.719{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E4668BD9AD226A2B0ECBC157B1FBD4A6,SHA256=BA251557B4DF910826E6ABC496B644E97BABC936973977C707FCF0FD1A7724BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076846Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:58.672{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81AB05F0849899AA25199D5D1056999,SHA256=C5ED3A7934D0AA6AF559889EB77216F929E8B21ED7CDE52F3C0841F7E22BB70D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056291Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:56.597{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056290Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:58.379{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D2AE183B891FE1EBCB6AA9861A45CB,SHA256=AF39E94FFA29FD97FFA448FF094E24B46E850240CE5F764EF92E8E1D902C5782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076848Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:59.702{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CB0DE135C43742801DDDA111ABBAE8,SHA256=CE56F425337262CA4C136590EF997AF1355C98476C561FF8FDD305224A78B17A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056321Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056320Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056319Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CF-611B-0D01-00000000F101}4620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056318Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056317Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056316Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056315Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056314Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056313Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056312Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056311Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056310Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056309Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91CE-611B-0C01-00000000F101}5108C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056308Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056307Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056306Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056305Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056304Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056303Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056302Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056301Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056300Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056299Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056298Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056297Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056296Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056295Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056294Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056293Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.786{8A88D375-90A2-611B-0D00-00000000F101}808828C:\Windows\system32\svchost.exe{8A88D375-91C9-611B-FE00-00000000F101}3556C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056292Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:16:59.411{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748BD8957C3F1854DDCCDB99D145C931,SHA256=86193AC965C6A6FC5F298A89929C492761BFA709FA5E7B503A41870EEC37898A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076850Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:00.732{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD8054EE7C362AA8F2BCEAFD2B3532,SHA256=0B6F7FAD0AA89427D5AAC0281E5C4BF408B9783F212B1E852AF7F03EA8EFC1F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056322Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:00.801{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A2624016FE772A92716FE2A988D672,SHA256=D92FC4F4303E3780A02223AE0F14503833770B5D9CDFA16C7C2EA08439B29D98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076849Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:16:57.191{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56523-false10.0.1.12-8000- 23542300x800000000000000076851Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:01.753{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD5B92A37582461E63B26E242DFFF6B,SHA256=8EA2528763438601EF8F69E4DB5F604986403CFE03B556140A2E4B7F40A902BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056323Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:01.879{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C36D2E81BBE6D96DC7025EBEEB109DD,SHA256=E6DBE7214F42C44B477B0906B4600A9CD1750BB5FCF6914A43BAA06433900277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056324Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:02.895{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C3F362D9008994E54AD4ED99D49CCD,SHA256=5686B7B15B4BAC9FCE168F638BAFEC13EA0759C1B5BE4F8AEB61B92BA401C094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076852Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:02.768{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B79A224CB7C47E4D2BBB9C4DE90BCD3,SHA256=BDAF7A8A49ECEEA2EAD7C20495778C44C92551EE5098F0DFF568F45709052CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056325Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:03.911{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68613DBD342B0299B029ADA6EFF2AD4C,SHA256=35C74FCA665FDA17F683135F60C52BBA533ED1D438244CE345D11519EAF3779E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076853Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:03.798{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0658F58E65A476B178DE52BE9D78DD5F,SHA256=CC24A648128FA60CFAB4F097E740F23A52A90F221F3BD0AF7C9E79BA3864A1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076854Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:04.813{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3EE70E83B48538A5AA21612C2C6649,SHA256=9B3C1EA173A6D5ACA0F5CE96BBA005CAAC82226E0BE2A1A995405FCCBC8C7F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056327Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:02.597{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056326Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:04.926{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9067AB215CD6820FF17AA948A18B63,SHA256=4779F74810C0394E5259FC632E8B5A7D82452DC443D3CAB060F0A9DD9957046E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076856Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:05.827{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB1C7F925C5F691082B3FA3F90788C9,SHA256=4FD3AACE271B168FEDD3742DB0E466A2B807052FF354DE6691F625877F99D2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056328Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:05.942{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E43F10368C945F37CB67811CA60FE2,SHA256=3DA03D2C83A770539761DACD225E214DD5EF834544E6533CF7E0F6D5A7E54CDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076855Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:02.387{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56524-false10.0.1.12-8000- 23542300x800000000000000076857Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:06.864{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249E7DFA0A296D427DDBE42C15C3F101,SHA256=DB7E9391606603E94877B2F9854ADDCA87A87E3C64D4408AD1F6BAE78C04C486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056329Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:06.957{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8E1FCAD78424BA60D14A152DABD38A,SHA256=C8958BACCAB0E7F3A6919326ABABE4BFA9B2074EE8575BC5FDDE98CC2D5C63A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056330Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:07.973{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3392295BE2E5E5FB3275E6E70030A0,SHA256=9323E02104106BD60EC5F220B6629A8900D4FC7560A2C3A7ED023C00218C189A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076858Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:07.894{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E35DB24BD096ACF96F5EAD27845D56B,SHA256=AF061EBED5BC5F34DC4D86A0B1C903AE71FDEA9F39A23DAA10339101E4C8C4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076859Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:08.924{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C818D3725B3FCE220E2AF99CE6F741E,SHA256=793AC7F77C1DECAC247C5DFE3FEB66E6DB7109A574390C21DC9E861C1ECE942A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056331Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:08.989{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC747C1F9CDC58329BF1AC8D0F731171,SHA256=E48D7FCA6082140674F7AD2996AF99ABFA3CF05E6F6F8EEBB2021D4AC48EEEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076860Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:09.942{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67F5CBEACA2D85D16FC7B38002F3224,SHA256=363976A12B75798714B752B99E3495169FA0DCD6FB663AD0415685DBD093EDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076862Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:10.959{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5EE2E3DD67E0231EA4E92EBBA7179C,SHA256=9158AA39443BBB4AFAF193BD5FB79CDF47B31D9D4B95C2D55EE5561189C45517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076861Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:08.317{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56525-false10.0.1.12-8000- 354300x800000000000000056333Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:07.628{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056332Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:10.004{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AF60D22D0FA0AF762BF1A41E42984A,SHA256=DC390E5F89E8AD554B00A371A11C7639F54707A6E39D4F8549FFFF98A79D6E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076863Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:11.988{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E33B8551A11AEDEA4917C4B770A1D93,SHA256=7C231F902A0464B1F2B3728FD34314F605921392D0DC10BC3D72AB1CA388C7C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056342Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.973{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2F7-611B-BD0B-00000000F101}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056341Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.973{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056340Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.973{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056339Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.973{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056338Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.973{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056337Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.973{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D2F7-611B-BD0B-00000000F101}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056336Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.973{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2F7-611B-BD0B-00000000F101}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056335Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.974{8A88D375-D2F7-611B-BD0B-00000000F101}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056334Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:11.035{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59E9E87E0033C94A8D02955EF7CED31,SHA256=A527BAF737F32F8A6EACB4D853DB0FFEF14F05B05A9290EF2C6E88D96071F62E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056352Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.957{8A88D375-D2F8-611B-BE0B-00000000F101}15044244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056351Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.723{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2F8-611B-BE0B-00000000F101}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056350Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056349Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056348Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056347Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056346Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.723{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D2F8-611B-BE0B-00000000F101}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056345Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.723{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2F8-611B-BE0B-00000000F101}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056344Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.724{8A88D375-D2F8-611B-BE0B-00000000F101}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056343Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.051{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B446A4C7EED6945FD5F135F19CF09ADD,SHA256=4C575EDF8FA101BE666D58669DA401810C349EF859BF34846BC358FF9C63B50C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056380Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.848{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2F9-611B-C00B-00000000F101}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056379Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.848{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056378Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.848{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056377Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.848{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056376Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.848{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056375Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.848{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D2F9-611B-C00B-00000000F101}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056374Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.848{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2F9-611B-C00B-00000000F101}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056373Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.849{8A88D375-D2F9-611B-C00B-00000000F101}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056372Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.535{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FB5B567AA010CE2F36E326E09C33DDAB,SHA256=69E28F6EFCB89B4936CA4A8096A751C3E7F635939DE4694BAA165FC1BD787D96,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000056371Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000056370Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x010331b2) 13241300x800000000000000056369Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79372-0x9296b830) 13241300x800000000000000056368Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7937a-0xf45b2030) 13241300x800000000000000056367Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79383-0x561f8830) 13241300x800000000000000056366Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000056365Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x010331b2) 13241300x800000000000000056364Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79372-0x9296b830) 13241300x800000000000000056363Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7937a-0xf45b2030) 13241300x800000000000000056362Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-SetValue2021-08-17 15:17:13.348{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79383-0x561f8830) 10341000x800000000000000056361Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.239{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2F9-611B-BF0B-00000000F101}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056360Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.239{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056359Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.239{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056358Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.239{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056357Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.239{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056356Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.239{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D2F9-611B-BF0B-00000000F101}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056355Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.239{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2F9-611B-BF0B-00000000F101}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056354Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.240{8A88D375-D2F9-611B-BF0B-00000000F101}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056353Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:13.114{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FCB992FB0C2A8753B589D5C5ECD989,SHA256=E69B5A414E4D9BD19920D1395995D3CF2604C4889B9EB354323089C3FC370054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076864Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:13.003{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBAA920BB3F4E79050A10F540CCCEE5,SHA256=DC5F91E022B7C5926FDF335320E9518B1BD30E05F787204EB69B54AFF3103B72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056382Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:14.114{8A88D375-D2F9-611B-C00B-00000000F101}6802416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056381Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:14.114{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049B0AF1A90CE079EF6BDD28BE8167DA,SHA256=8934EEA596B08756802D65990F3CDA4B523E2C210B6FAC95E5DC16F87A9FFD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076865Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:14.086{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A93BCECC89DE20B74A199D4275EA4CF,SHA256=B02A83855EF3790174F2B27E12E38C82B8420D79BD4D7BCBED9AF6EA6760768D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056394Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.928{8A88D375-D2FB-611B-C10B-00000000F101}41485040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056393Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.725{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2FB-611B-C10B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056392Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.725{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056391Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.725{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056390Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.725{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056389Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.725{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D2FB-611B-C10B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056388Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.725{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056387Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.725{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2FB-611B-C10B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056386Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.726{8A88D375-D2FB-611B-C10B-00000000F101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056385Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:12.690{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056384Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.115{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2D67B99BAB1C340B5426D80B833510,SHA256=DC663780C8CD070CD573F857A44AD623950E2B457B1DBD40F4F2B0DE1FDD1705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076866Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:15.116{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C8DFCE3083268D277FF270EBCB1F7F,SHA256=3A0A6561973CEDFBE2155EB31FB32C61BBA193F5FD36A5063BB466FAF9D4F417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056383Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:15.009{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-275MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056412Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.837{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2FC-611B-C30B-00000000F101}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056411Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.837{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056410Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.837{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056409Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.837{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056408Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.837{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056407Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.837{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D2FC-611B-C30B-00000000F101}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056406Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.837{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2FC-611B-C30B-00000000F101}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056405Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.838{8A88D375-D2FC-611B-C30B-00000000F101}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056404Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.347{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D2FC-611B-C20B-00000000F101}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056403Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.347{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056402Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.347{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056401Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.347{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056400Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.347{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056399Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.347{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D2FC-611B-C20B-00000000F101}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056398Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.347{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D2FC-611B-C20B-00000000F101}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056397Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.349{8A88D375-D2FC-611B-C20B-00000000F101}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056396Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.129{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D745812EA697630D79EC1A7396E7AD4B,SHA256=41973FF1AEBAF5052389CABD6C5225273D53C21865D2574D9AED7527A11C1976,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076868Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:14.272{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56526-false10.0.1.12-8000- 23542300x800000000000000076867Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:16.132{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A58E7785344BD8CDC6589E21843DA6,SHA256=38C21E4F2EB3304035BD99AA2F3B23004DA48589F416F7CD49E1FE801CAEE68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056395Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:16.024{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-276MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056414Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:17.134{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A002242FD5514499BDC0C7F2AECD9538,SHA256=663BCD124A7255A68C134858A5EE577F5E3C5E1C66D5101EBFFF2538B7554EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076869Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:17.151{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08067DBE233EFC1997767CCB7B19DB36,SHA256=10C01A31DCD235928E5268800C50E2C12284388A4750CB3D5FBC1E76DBCE688F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056413Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:17.009{8A88D375-D2FC-611B-C30B-00000000F101}36522004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076870Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:18.152{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BA6A4E171FC74AE1E8B08875F08282,SHA256=65AA9E8109E48157A81011D552836787ACA7236993F6FB4F50285BB3CF61A1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056416Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:18.852{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056415Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:18.149{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB1121739490557F1E7267D7FA4BFF0,SHA256=8F5B55BAEEC3AEA6E216AFAE81F9B41CF6C2533EEB9A950A04CB07D581D27A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056417Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:19.180{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0D7F7417057EC31FFFB9A47AB5242B,SHA256=CF6A1A92C1E6A5826E518FBC1175E66EC75B9F155F49962164230D108BA9B072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076879Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.351{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D2FF-611B-B20D-00000000F001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076878Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.351{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076877Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.351{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076876Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.351{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076875Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.351{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076874Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.351{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D2FF-611B-B20D-00000000F001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076873Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.351{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D2FF-611B-B20D-00000000F001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076872Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.351{2F630BB9-D2FF-611B-B20D-00000000F001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076871Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:19.166{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7676A0C097023644085496BED07DC7,SHA256=5859DD949BB4D491B8A03BB93F16507B24F231FF8737D3AF74483C4059F7C0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056419Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:18.320{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056418Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:20.196{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B50B8C7313760B7C0F1644FBDD874CD,SHA256=9F1AACD79D722C4BF84CA29FAF3EB3F3C2AE18BAA8C7067C99F324C40686A7C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076897Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.850{2F630BB9-D300-611B-B40D-00000000F001}77687272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076896Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.712{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D300-611B-B40D-00000000F001}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076895Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.712{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076894Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.712{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076893Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.712{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076892Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.712{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076891Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.712{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D300-611B-B40D-00000000F001}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076890Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.712{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D300-611B-B40D-00000000F001}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076889Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.713{2F630BB9-D300-611B-B40D-00000000F001}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076888Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.181{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30344F4301F98AC7F08812C7016D93A,SHA256=2591A46F6A80EDA0A3ACC4DB79999A0D8354669DA527362A358F71A698B50A18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076887Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.034{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D300-611B-B30D-00000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076886Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.032{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076885Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.032{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076884Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.031{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076883Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.031{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076882Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.031{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D300-611B-B30D-00000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076881Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.031{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D300-611B-B30D-00000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076880Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.029{2F630BB9-D300-611B-B30D-00000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056421Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:18.617{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056420Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:21.227{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2E08AC9FD2AC14D2E83FC5EAEFB1C4,SHA256=8A0806514A712201ED63A47F52EA1A138A836E24C51C9FD1383A37122E1FBABB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076915Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.911{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D301-611B-B60D-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076914Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.911{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076913Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.911{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076912Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.911{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076911Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.911{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076910Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.911{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D301-611B-B60D-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076909Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.911{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D301-611B-B60D-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076908Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.912{2F630BB9-D301-611B-B60D-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076907Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.365{2F630BB9-D301-611B-B50D-00000000F001}78241200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076906Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.233{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D301-611B-B50D-00000000F001}7824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076905Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.231{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076904Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.231{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076903Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.230{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D301-611B-B50D-00000000F001}7824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076902Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.230{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076901Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.230{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076900Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.230{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D301-611B-B50D-00000000F001}7824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076899Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.229{2F630BB9-D301-611B-B50D-00000000F001}7824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076898Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:21.196{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197DB028EA8DE6B271A50879E552B9D6,SHA256=F2BE9DB6C129D0E5F2727D38A81AD9F201826C9E1563B2ACAC8E2076342161E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076927Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:20.270{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56527-false10.0.1.12-8000- 10341000x800000000000000076926Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.664{2F630BB9-D302-611B-B70D-00000000F001}46926064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076925Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.532{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D302-611B-B70D-00000000F001}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076924Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.531{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076923Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.531{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076922Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.531{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076921Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.531{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076920Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.531{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D302-611B-B70D-00000000F001}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076919Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.530{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D302-611B-B70D-00000000F001}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076918Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.529{2F630BB9-D302-611B-B70D-00000000F001}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076917Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.211{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEF64578918939BA3CC872BB47383E7,SHA256=8EF01063BFFDB7F44F4E254BA53562A146CA0B4FD376058A7B55CBF882DFB21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056422Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:22.243{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697EE0D423CDE1840A03FC0B9D9AA4AF,SHA256=8D7776B9253C33E5DA172A2365BB8DCBCC47EF98AD71404C55165F16D14A24EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076916Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:22.049{2F630BB9-D301-611B-B60D-00000000F001}78087872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056423Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:23.259{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A88E824C16C9BAED6318BFE4F915B0,SHA256=9F599D66C1075A6C97E261BB3F06AFDEAB06D7C9B392C14726624C1AEEA24403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076928Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:23.232{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB608F14F8D93593EEAFF17BD57B2359,SHA256=DB51AF22EBFB4DEEAA64DED79E784225AB1E66272CB976ECCF36E4688010BD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056424Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:24.290{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE01AEE7E9C73A533435FD426A65517,SHA256=181FD104BD4486EE9B3004D4B7F99D35EBD9A8F33CA7A81F620B95D8873DAFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076929Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:24.247{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368524F6FC9DEC4DCCD61BFE12AE083E,SHA256=09A7FC1553BD985A3DA4AE794A59A00264A08BE009B3B4EDF7F9395C9B5EC25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056425Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:25.337{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32E60A290BCF51438CB724AC94F3E59,SHA256=9AFB3010BDEDA66644DEA09D3D78CE920967882C3A0098CAA77806F878B94B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076939Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.496{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-283MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076938Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.262{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED6613F04EE2A8BB08E6554751C1BA9,SHA256=E4BAE1FC1246BF83D3D2B2B572FC8423DCC833BBB9862C6EA697D2381ECB5120,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076937Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.146{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D305-611B-B80D-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076936Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.146{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076935Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.146{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076934Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.146{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076933Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.146{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076932Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.146{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D305-611B-B80D-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000076931Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.146{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D305-611B-B80D-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000076930Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:25.147{2F630BB9-D305-611B-B80D-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056427Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:23.679{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056426Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:26.352{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B013E2F96E9B7BC08D0FFD183105B9D1,SHA256=E5C1F7A87E2B81341D9558710FA231AC4DAC5195A1EEFD4766EC7BDD8616E794,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076943Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:23.987{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56528-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000076942Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:23.987{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56528-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000076941Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:26.509{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-284MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076940Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:26.277{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D563CC60E5A4DD6C16A7B6BD621F40,SHA256=BFEB88DB058BFF39DDC7FE0AD3A4D440701BBBB67C001E6BCFB137B0E6FE233E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076974Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.806{2F630BB9-8EB1-611B-0B00-00000000F001}6324720C:\Windows\system32\lsass.exe{2F630BB9-8EAF-611B-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000076973Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076972Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076971Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C759-611B-210C-00000000F001}300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076970Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076969Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076968Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076967Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076966Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076965Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076964Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076963Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C757-611B-200C-00000000F001}3436C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076962Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076961Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076960Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076959Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076958Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076957Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076956Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076955Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076954Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076953Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076952Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076951Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076950Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076949Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076948Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076947Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076946Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076945Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.360{2F630BB9-8EB3-611B-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{2F630BB9-C74D-611B-120C-00000000F001}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000076944Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:27.307{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF86C4BC59A35682BA99AE8BF712A4A5,SHA256=38E0482C546BE09E4F63F3B2D4C0007BEB8B3CA69D145FC11DDD61EB12044DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056428Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:27.384{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57E54FE884A5508CBC9D239C7698D29,SHA256=5CC4A43D8B7ADE9A8C56F9219F86F0EE28FA332A0E56BED68E415265DE195E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076977Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:28.827{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D3B5F4C42512BCAB56CCFA1A5D587F8,SHA256=C7F73CED6B9C85F2BE7E6AC6B4DF754D0D810A32847D435FA75CE6D486EC79AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076976Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:28.827{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35C862E99113C8E0BF464BB7DD79E81B,SHA256=41E076DA7B4DC2313F2D3FDB3F01BC9FB5FEB5FFDCEA7313787D4FFC265450A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076975Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:28.774{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B10E7B66BF9189E69A33377B42FE34E,SHA256=E4D7446DABFD45DA74EB8BEDF326E7C55A735247680CD3ED1B92CB3F518B56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056429Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:28.399{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A37C176DCA008BEEF4BA0A0254FA07,SHA256=16FA36A472EDEDA66A4FFF497D8F7C31B12B90821F1359FF2927C5F3B084A809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076979Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:29.804{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678E5D631E6F0DB6F034D097CC55EFD5,SHA256=20E871301A4B8A5DFC0BAA0D3ADBE17DBB2745DB787F66608DE618735D2ED80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056430Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:29.430{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB3128EB68DFF24EBF588C0E516217C,SHA256=A03F35B65682A98C7952AB57F62DCAE2AA68260BA1F6EAE2F8D3B6DE73B952A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076978Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:26.300{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56529-false10.0.1.12-8000- 23542300x800000000000000076982Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:30.823{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0402C2AB608D680297811B4F4D602569,SHA256=9BC0C28273791BFC770D131433B2479438856ADEA15A2FF425539926831F59DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056431Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:30.446{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9EC23B6232907F6F0A4F74D4780C9D,SHA256=CEBE46C3B64BF626F12AD6B2DDD8DF9EB4993F9291966DD3EF7A682BE89D3789,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076981Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:26.948{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56530-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000076980Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:26.948{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56530-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 23542300x800000000000000076983Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:31.839{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F482704C36ADB198EEA87E1088859A59,SHA256=B26266FD4D00E20DC5F1B83027F06CF8F5E8BA41D40B59CD322FE5331DAD9C9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056433Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:29.616{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056432Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:31.477{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8084107EC6FB75AE7ACCBEEFBEAD48,SHA256=DC7A0011BFDA05FFB47CA904E79B36EAFF903302BD7567EC456A5308998F6DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076984Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:32.869{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECA51BF6B163F15D2B1F8B55BFD105E,SHA256=6C8C0ED96E23A3272E4DF444DAF7623B6E409AFB5CD8662D0BFB59BFCB48C1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056434Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:32.493{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29A4C1B5EF49767BB2E303AFC6F6D37,SHA256=6BCC3AFEDF217A1F32D46A6824A8A73762EE2E8B6D25E3C1BBF4C85E3FC0D738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076985Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:33.899{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC560D73C83DD563E6EBF15732681D83,SHA256=50A214D12496BE6FF6FC747EF7D2F11B8024AD349A5121F1070A7D825148F15E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056435Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:33.508{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD76FC24E3840127C6C9FA6D6B9B7572,SHA256=96A2A4B520D42F9A3A48480A624429394DF2CE17EE5A28EAB25B58EC56C535BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076987Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:32.241{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56531-false10.0.1.12-8000- 23542300x800000000000000076986Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:34.916{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75ED8A836C89F9270EDF8B1B63528C9,SHA256=E67977C169523AD05E531A1E343C9205F8782EF27D308938DDA076687E882226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056436Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:34.518{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951B770809DC145BD5AED06D39BD52FF,SHA256=0C2E0651D5EEC546C757C1B7038B1D3C4CA63145FFCE4C1D94F0BF7858623528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076988Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:35.934{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACAC2DBDFD5345F24C87DBD7A883EA7,SHA256=8C1441D9C0BDDB1CD9AD8113174EE5F9D0CCF7360AFA76323EE7E3660AC5ACFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056437Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:35.534{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9733596D12802A2A646C2368228E5FD,SHA256=9DC22F2B428CA275F8DABC6A09567AE55BB101657D362D43B5AE0F07A256EBEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076989Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:36.964{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3D4EA1A95228C34067855C4C357944,SHA256=359876A8E754F555ACB60E471A1C89B5B601C2ADA8122EEABC3F8304FC460A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056438Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:36.549{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3D4FBEA8A169A225E2A77D9F0EF4C9,SHA256=4DC0FCE0B4EFC84E951421A20529B0345CBEB4F2BCB81646F74FD7CBAA98A317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056439Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:37.596{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016ADEDD60631758BFD180ED8DFC8D93,SHA256=ACA4B754507DF34E95BF6B2CAE917D9D061DCE64F7C9A402DB2D4BFADABE68CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056440Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:38.627{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346092E615926073E294D01B69B3ED3F,SHA256=598E4F44FD7072B7888BA2B0DF7136040526DD444AF0875AB583630E5CC09AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076990Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:37.994{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE48388FDA80F7DD22763C9CE0479DC5,SHA256=EE3B088EFD869A33497692C58075009B9A24E1CB420FB7FF1119A72D578DE832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056442Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:39.674{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C6200E1CD876A9B953AC9CA06ADF2B,SHA256=23BE6A69BAD0274C91D22532D26DB30CE3B8A79B427F7A18CB0CCFC93DD00CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076991Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:39.012{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBD2D89EE5FD85B1B1F0645E7A119FD,SHA256=C49210113EDB2E5DC580A993779B59E2A14764D8569630B9C5698EB5AE6EA615,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056441Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:35.595{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056443Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:40.690{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA98402C4422A3E40E3C31C626991582,SHA256=A01B2DD9FA03D411FE9001150BD311FD19771FEB560ADCE22A9E78380134CCE5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000077003Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000077002Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x010b2bb0) 13241300x800000000000000077001Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79372-0xa2de38d8) 13241300x800000000000000077000Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7937b-0x04a2a0d8) 13241300x800000000000000076999Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79383-0x666708d8) 13241300x800000000000000076998Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000076997Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x010b2bb0) 13241300x800000000000000076996Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79372-0xa2de38d8) 13241300x800000000000000076995Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7937b-0x04a2a0d8) 13241300x800000000000000076994Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-SetValue2021-08-17 15:17:40.445{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79383-0x666708d8) 354300x800000000000000076993Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:37.354{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56532-false10.0.1.12-8000- 23542300x800000000000000076992Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:40.030{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF81DABED47706806FCA556760BA1FD8,SHA256=75562F97C656F4D7DE3E2D18826DFE81FFEB6F674B6767797430426BD12A1400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056444Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:41.831{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D7EE81615BF979C09000175B56950D,SHA256=DF3AC6DC3459776D81821819E8C03B1C15BCF047F4E6DF2E7DCF910D04D33126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077004Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:41.060{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1AB1931A77798E491B57C85BAA6259,SHA256=B96413D81D1B78A19A92D1091612EC826CEA1AA6C84A9A22A3AD6FC6A23972D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056445Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:42.862{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFDC9621CE61434F6C3AD316A119B74,SHA256=39C125195E8C22244709050C82A6324082AB54DB8C8DD957673EDC47B98B4FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077005Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:42.075{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA45025B672DDF817DFA81AF2A22C8A8,SHA256=0EAC2A212D76EC3318D2016F9D39232D7ACA9CF7F220CD11BAB83DAE2F563748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056447Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:43.893{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B39C00D30DA34B796C48FC265FD19F1,SHA256=ECFEEC75A9D47264363DBCAC7162A58C9562A28ED04D77CC323AC1B54C2671D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077006Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:43.089{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBCD45C209328FE0495FB1FBD06C4F8,SHA256=384BF349834BB08BD80E282CF8BD404EBF05166D66CBA617DAB9CC194B9C0188,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056446Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:40.673{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056448Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:44.909{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA095F2D5287A44182BD6DD9C7E7BA8,SHA256=2313AED49508E4283349298CFA1F93D16E944465E3C43BEFF316F68E2E63FBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077007Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:44.107{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C1635A8F671847253425C1DE6EC029,SHA256=D394323A5CBC1870C9163BB78AB743925FCD670A1F1FBC4EDF35D722BC4230D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056450Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:45.940{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B77F5E5B5DD30966E984DB9D2B1D52F,SHA256=128FBF3E9F17AECA3689275890624ACB93FED5A465454FAE231925F4E86AD33C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077009Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:43.244{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56533-false10.0.1.12-8000- 23542300x800000000000000077008Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:45.124{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291C90ACE3840BE4C3EE412FD3E93DCA,SHA256=9BE8842D9E7DBD43089DAE58F2CEE17B94393C74B71CB10AEFEBDFA2827B35C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056449Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:43.284{8A88D375-90A2-611B-1000-00000000F101}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse147.182.194.6-61685-false10.0.1.15win-host-316.attackrange.local3389ms-wbt-server 23542300x800000000000000056451Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:46.987{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2020040122AA8D1B21AFA251AA1BA9BE,SHA256=2F8013D967C1F86B5FB726D17D35E2C5BF4207CA905B0B5DE75019D1FCF611EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077010Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:46.154{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36DCC5FAC4446648B02BB962FE94D45,SHA256=A05474927BE6C55BCE6E9F4DA28EB3B0D58D0395D0E762CA8E43150137E759D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077011Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:47.185{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB91BE3A4E347B27D5479502D2D47AA,SHA256=10AFCBE04909E2C23928CC74A82E5055A336E5A2A09482269414549E363878DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077012Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:48.202{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86679A232CD87E9CECB9080436C1B4E,SHA256=31E6B4CA96656D74A4B63B9E7E9009F8A71EDEC5993DF46B3C11E4EDF572F0CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056453Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:45.688{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056452Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:48.002{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4270884347EE44482A8484187D5AB6A2,SHA256=60BBA60E6585D285D5BF63528B447D9966E21862F16B45FA7C0F232EA9020C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056454Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:49.018{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04F6CFCCBADA3006E3EE3020F4E4186,SHA256=5C8F69E02BAC3082B820B5FBB5F6C078075A4C6C7D109755BF8FB715C3E1F1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077014Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:49.235{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077013Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:49.220{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36532167A8AEF8559F678EB8C35D909D,SHA256=50CBE0FD4226D2C75EF20181338E7E754BB3D2E1B4794443150B1FE94B9725AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056455Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:50.034{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AB3CC95BF6D51C04F3A706BDA1651B,SHA256=CBF124BB83153DDD1E4A37329640FD337AA11215D340B88DDDB5B11B5664114F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077016Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:48.260{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56534-false10.0.1.12-8000- 23542300x800000000000000077015Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:50.234{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CB6961AC5A80C63799019877827025,SHA256=E3223E6C8F756B85D42B1D97EF15E3D2572CD92B0332279B7E748CC84376E400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056456Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:51.080{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1488876512E01C21287F5C1EB4CE67EC,SHA256=ED6B7234DDA5CF67505ADAC5DC6B4B6FFE2665ED3B010E65614AF33D986F19E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077018Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:48.360{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56535-false10.0.1.12-8089- 23542300x800000000000000077017Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:51.249{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269E05D0C745B77F8D6AE08FB5430516,SHA256=9C0D5C3FA48D3A915FE8955C7B47E005EA1566A9F60C223D37AF7F0FC06098A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077019Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:52.264{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9240CCFB0481DB1DEA9BE813D377F0F5,SHA256=46EE1C3CB049C8605E979AC10F260670B958F721A548E74240C4A9C443195918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056457Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:52.096{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A68371BE0058D779597B7C887EE3C96,SHA256=D8C3C03F2E4FB87EB14ED11B8657C94E59B0F73397E34B756F5875BC4E564A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077020Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:53.278{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580C73BECD29AAEB12EA9E9E09AEFF1C,SHA256=6310CD72AF033700474FA07400EAAFE725211C6BA060677766520D894CB6EFFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056459Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:51.673{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056458Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:53.112{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BF29039956C05E655EB3EC1955DD36,SHA256=425D0F381600C04642D0FDCA4AFECC435AC7D6C3B098619B26A6FCA7BE5B3239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056460Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:54.113{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D278549878DE3303D1A335F433941A5,SHA256=42A3500E151AA98B109C1A5B000A9C39017924612CE39FE4896D97E0F496F98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077021Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:54.314{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3AEE2EF9665C13E7A06797D34AF4F9,SHA256=B5A98B07C420B21C583A28227D1D538644C48C5EEF0EA1DADBD850EC933C948B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056461Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:55.145{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBFA9ED09E93DFBDAE3F41C7C28709E,SHA256=78E5D25DE4573683D05A0C9FA68EF121A1B189A8445C98515B719E9FE7533B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077022Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:55.329{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978BBCA3FC51A0D31D61888226DEB09A,SHA256=2776BB241ED3E1FAF510DEE6C53AD4D9DF1C22BD6A67DCEEE9707BC4A7230E04,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077026Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:54.375{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local58631- 354300x800000000000000077025Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:54.372{2F630BB9-8EC0-611B-2D00-00000000F001}2204C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-86.attackrange.local50904-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000077024Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:54.186{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56536-false10.0.1.12-8000- 23542300x800000000000000077023Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:56.344{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263F9C035283E9E7F541CC77C5990B14,SHA256=F8A52EC9484499C3D589035B272DD7B71F4F20DC5C06954B6A792123BFB0E275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056462Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:56.160{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3A9882C3F8FD3B1947A3D6CD0F1C3D,SHA256=AF55FBF5705250F5114236C1EDBF8A5C938D4847DD457FF35D1BDBD82C453F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077028Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:54.376{2F630BB9-C763-611B-240C-00000000F001}1128C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-86.attackrange.local56537-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x800000000000000077027Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:57.374{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270A89058123E87F37A12BA1172B7B9E,SHA256=56B759E2D2E9433EB0FACB8F6EE37C4C527873E1C20236E72D19C83B2AF54437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056463Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:57.207{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2845BD999C9B8511A6018DE2A3B90E,SHA256=843FDB3562F6386849A80261D910A7DB87CA462ED3867857C1E88929FEBCF1AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077030Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:58.725{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E4E61FFFC6A5D35FF8FF3DC703ED829F,SHA256=518DEA9CDBBA1DCEE0B1F1B1804DA213571F06E6AB2F30D7103CBD3A18B96343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077029Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:58.394{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F5963A9F44FDC6C9EA0E60923B3DB7,SHA256=B249623801E1F02983D87124B6F23D93C785B5E92003A7645411A783487F5071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056464Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:58.223{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D119F2F21D4C73793695AF05B2D3F85,SHA256=53340938A47A3CB87BAB339BC0A7293FE8070AA3061B46B24A53B012E168F368,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056466Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:57.627{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056465Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:17:59.238{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB407F1A30A916C58D16468ABAB79442,SHA256=1D8D7393AF2A1209B392AD8B10B604E41CC61D4B41D877C92A81C52CACA50CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077031Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:59.408{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F656C3AEA80296A7148517849E723D,SHA256=D9B37BC58A021E1D68E127F1043BB8B5AC2DBCB3AFE6EF079BE3CBB120998E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056467Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:00.301{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F138BF1EF7AB43D466D0EB524FB867E,SHA256=875F0AB8129B9A5C86D9C6B93FF1776CD61B0703E847DB226663DBE05B8DD4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077032Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:00.439{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080645DF3DE514EAEA8F13F8F0E6BCC7,SHA256=D7A905B21000700F0BBDFF3B0486A70CEC5412026E71E3ED482223B07EEE99D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077034Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:17:59.279{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56538-false10.0.1.12-8000- 23542300x800000000000000077033Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:01.468{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AE1B5FDB5F9D869B7CD2CB21ED3563,SHA256=7D2641386B5D21D0779450B882872B7A54DFB0D0E8900BD25013A99E8DCF7DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056468Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:01.363{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49084F599DBCB772E864565EA293D997,SHA256=0CF5B144C2EE7FE51131989ECCCEA2C6ACD6E0EBE4DBCE51EA47674CF2970765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077035Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:02.486{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACEB8E42E086D970F3D741E365F4C21,SHA256=4F42DA7617D7C747DE710FABF8292F6E44A8649E1D088CAC4A9CB0F67B86AC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056469Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:02.395{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB3DECBE9C204D1E08FADFAB85B78AE,SHA256=48AF6BEC8AE5EA8478E263EE06B4CD5071599462A1174E11067257C584D18F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077036Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:03.504{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D49CE81379559FB5C2396AC8BC1F13E,SHA256=49810F3C0314A4AF3CFCE8A64B9375B997342268016BB705020E73298D874CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056470Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:03.441{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C31086B99BE564E22B4FE23512C1BBD,SHA256=661936C218103C4E65B2A655D059C1D08E4A8D881A04E2200C5CCDE2F37543F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056472Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:02.705{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056471Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:04.457{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D17F5127767BCC63C0ECE0C5FC7544C,SHA256=A2DC0007CD595127BBBA7EE7E43D6C4B10D198FACEA128C546F9A7951D8339B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077037Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:04.534{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5D8087900B3A07ED251D6FC3704576,SHA256=320F1EC786BEDA238590FDB03E2769CE1CE7BEE4A8D67AF9AAB306337AF61588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077038Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:05.534{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6275343137B433E0EEDFF6CC1606FA,SHA256=97B11CF946F6EC2782B297CB32D8E62048DC91B90E05D2E8556AEACE73740890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056473Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:05.473{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F94D833505D9148D975A4F7F3AB7A11,SHA256=0EA342BE7CA574A5CEBE96F70E1147511A2F14F43F06CB5670C4A9FBE4402A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077039Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:06.564{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E86975605315191E6E03191DA18221A,SHA256=6B72E306CEF5E9E832E7B068C4EFF25E1B6388E2CE5D94738155D4104F8FA71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056474Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:06.488{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE527E18FCD012BF63F9A201C24C3B6,SHA256=A579E6245082A0F09AE5A77C537B1AD4301172C9FCEEC8D45278393ECC23421B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077043Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:05.174{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56539-false10.0.1.12-8000- 23542300x800000000000000077042Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:07.584{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E767095D890E04E1DE370136657F4E9,SHA256=1C17586AFD0E7FD17A4E7CBB3473EF01BD8248CC344FFA82F414F256BC09C37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056475Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:07.504{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8369900700FF50541AE8626B9A14F212,SHA256=8524FE21065D8EDE4B969F2E2E7F958EC2C5F7B71E89B50C7E5EA561DFF0706C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077041Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:07.432{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077040Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:07.432{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A90523A712E4CA1D80AAC5573D83B62E,SHA256=87401DC8ABE0FC6FBCF9EA60F0CC8CD0D4B1E71B7044CBF99F9C0AAE85B571C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077044Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:08.630{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32167CB020A5B2DCDF069E8D5668C4F6,SHA256=C5F6A0AA865AA0372A34CB270C3029B582594F290A7247AAD10ACAE4075ADDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056476Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:08.520{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1601FFEC28A0FA80A803F3B38D067543,SHA256=6C967AD147606F891534861159E79DB5CA16CB69097D65091038BC89F8765342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077045Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:09.660{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BE377E7EBAB32D647A075C7E076958,SHA256=AA7F7AE5B51170049B4F52F6DFFF4E5006A49F7562D978CFCCC0F6EC9EE2B2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056477Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:09.551{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6375D54C80B555EA94208AD68A01E748,SHA256=048F63E64D44F90BBBD308A42470AC3FB121CBD20B915D9D3954B410DDAFC924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077046Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:10.688{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3C4E80CC70C1B00F58C25970A3A663,SHA256=08413B040889FF1B292FFC3036B1A7E250A043E02961731FF9A8BE5C8D292E7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056479Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:08.549{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056478Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:10.566{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA2B18082351CD6617B9D421DD4A877,SHA256=F9223A4FDFB07BB0D6471A2083B48D0C317C5B7D0B7F0403C15D7569FCBD1563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077047Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:11.706{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CAFEC13C9D97B2070A989C9D37364D,SHA256=4626EA3F6359A429EA132B687F8CB9A8A65B8F0DB8849F0B614DDBABE7C8DF0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056488Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.973{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D333-611B-C40B-00000000F101}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056487Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.973{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056486Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.973{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056485Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.973{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056484Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.973{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056483Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.973{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D333-611B-C40B-00000000F101}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056482Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.973{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D333-611B-C40B-00000000F101}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056481Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.974{8A88D375-D333-611B-C40B-00000000F101}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056480Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:11.582{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F5B5DDEED2C2EFCAABD5D13A681BAD,SHA256=49941ED85774DDC44F59C7B3A3F981154714E2BB61F4F252248200E9FD48F644,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056498Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.941{8A88D375-D334-611B-C50B-00000000F101}60245888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056497Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.723{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D334-611B-C50B-00000000F101}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056496Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056495Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056494Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056493Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056492Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.723{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D334-611B-C50B-00000000F101}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056491Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.723{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D334-611B-C50B-00000000F101}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056490Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.724{8A88D375-D334-611B-C50B-00000000F101}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056489Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:12.598{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9DA75A4413DB728A3FC9C2931FBC9D,SHA256=8246AA4F49D2071FFC60227F75039F3291AFE3E8D93C3B9856B68504A0CE7FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077048Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:12.721{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328A82178354F8C8977C4A6AE1D17A22,SHA256=C74193E75DD817B1FBF7852B14493F4CEE9C3FE9A136A486E53EC90FC766AC6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056517Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.910{8A88D375-D335-611B-C70B-00000000F101}25281944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056516Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.723{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D335-611B-C70B-00000000F101}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056515Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.723{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D335-611B-C70B-00000000F101}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056514Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.723{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D335-611B-C70B-00000000F101}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056513Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056512Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056511Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056510Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.723{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056509Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.724{8A88D375-D335-611B-C70B-00000000F101}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056508Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.629{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B0424069FB19518173BB5CD3B02BF8,SHA256=C425AFC42CCD998E7C5F1B394168B3BB93F8976699CD8C99394BC950C1990010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077050Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:13.750{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323BE34913C621086A8E3EF277067EB1,SHA256=DF2D679CAC64BE33ECD5BF077AA37D25BE111E62AF61F869B2E494D2C89AA114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056507Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.551{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F8751F954F1190F8B6B9C20D9F125AFF,SHA256=40010ACD0D360FA70ADA94D40AA6EC192B90E52B873830C496D942B071D44569,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056506Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.223{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D335-611B-C60B-00000000F101}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056505Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.223{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056504Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.223{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056503Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.223{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056502Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.223{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056501Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.223{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D335-611B-C60B-00000000F101}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056500Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.223{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D335-611B-C60B-00000000F101}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056499Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.224{8A88D375-D335-611B-C60B-00000000F101}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000077049Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:10.378{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56540-false10.0.1.12-8000- 23542300x800000000000000077051Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:14.784{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95717BD63C2FCF6231CF90F7E3942030,SHA256=CCABFF5838629C3B09AD8C4D01217C43D8DE669B411D016422E96A320FCE7B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056518Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:14.634{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A1404E989854CFAD11F54BF7488640,SHA256=C993EDF6ADEDF2F9AAFF9ABBAC034112D9AF41A5DCC95FA6338F1F1F619AF2C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056528Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:13.632{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000056527Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.728{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D337-611B-C80B-00000000F101}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056526Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.728{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056525Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.728{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056524Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.728{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056523Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.728{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056522Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.728{8A88D375-90A1-611B-0500-00000000F101}416432C:\Windows\system32\csrss.exe{8A88D375-D337-611B-C80B-00000000F101}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056521Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.728{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D337-611B-C80B-00000000F101}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056520Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.728{8A88D375-D337-611B-C80B-00000000F101}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056519Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:15.665{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1B656F64E4E27C2B2D189BFF30BD87,SHA256=067BE36FD1010043305E5E27A746FC078174B0DE4AA08E8C190C95FD2D4751F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077052Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:15.802{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1210AE90EB4C915A950FF0CF185ECB8A,SHA256=605C5CD798AC9C4BBCBA6C978CBECA8259C21EFA636A763EE3310073DF748DF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056547Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.889{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D338-611B-CA0B-00000000F101}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056546Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.889{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056545Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.889{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056544Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.889{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056543Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.889{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056542Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.889{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D338-611B-CA0B-00000000F101}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056541Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.889{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D338-611B-CA0B-00000000F101}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056540Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.890{8A88D375-D338-611B-CA0B-00000000F101}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056539Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.685{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407F51E4C35B3D8C209FE03BE6571D11,SHA256=3D7F74F6FBAA58B7051A89F2B97CF99AD2F487D14F4B5851261ECEFD72F8A82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077053Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.817{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D37BE9E7C9765906D434901469FBEF,SHA256=963F3FC740CDF6B1E5215186E7B1C185CC73B2D567EA27E9E43D4744D079FA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056538Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.545{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-276MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056537Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.416{8A88D375-D338-611B-C90B-00000000F101}55524548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056536Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.229{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D338-611B-C90B-00000000F101}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056535Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.229{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056534Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.229{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056533Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.229{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056532Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.229{8A88D375-90A2-611B-0C00-00000000F101}7366084C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056531Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.229{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D338-611B-C90B-00000000F101}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056530Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.229{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D338-611B-C90B-00000000F101}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056529Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:16.230{8A88D375-D338-611B-C90B-00000000F101}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056550Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:17.715{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B8B72A7FD03B39C6B5B7D99FEDF164,SHA256=1DAF1EA0EEB2BE0F5633BB3F683790B86A7327303D64825182C48DFBEC2C9B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077056Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:17.847{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B30575ED38A4D536EFDDB8EB942A258,SHA256=F0F0A3572F4CA735DCD6C173CEE73B6376111B214B54540DF872E3478873FDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056549Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:17.546{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-277MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056548Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:17.092{8A88D375-D338-611B-CA0B-00000000F101}19884340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000077055Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:17.216{2F630BB9-8EB3-611B-1600-00000000F001}1304NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=7A19EF82F55BB623B671C86E33DBEC24,SHA256=AF2474F6DE12CEEF92B111A8B337DE951E3881DC21189420343D38F481684FD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077054Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:17.201{2F630BB9-8EB1-611B-0B00-00000000F001}632428C:\Windows\system32\lsass.exe{2F630BB9-8EAF-611B-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000077070Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:18.884{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB9DA60298A9EF3A84C4FDA2823351B,SHA256=57CD5892BDFF378B91F38576031260D56CF2D853D4DBD192F26E4D3B3BAD0CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056552Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:18.874{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056551Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:18.718{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39783674844B88C72EDAAEB67E4FB820,SHA256=B30074408105FF5EA68465C9E81D34C1F633611A1200D367AEADB4283D3849D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077069Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.347{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56546-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000077068Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.347{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56546-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local445microsoft-ds 354300x800000000000000077067Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.345{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56545-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local49666- 354300x800000000000000077066Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.345{2F630BB9-8EB3-611B-1300-00000000F001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56545-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local49666- 354300x800000000000000077065Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.344{2F630BB9-8EB3-611B-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56544-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 354300x800000000000000077064Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.344{2F630BB9-8EB3-611B-1300-00000000F001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56544-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local135epmap 23542300x800000000000000077063Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:18.216{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AE7C36F313123658234A256CDD8B15F,SHA256=DEE078F0794A6929FDD250A1C98FB784B203358A21386FE91A99B44CF6B76E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077062Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:18.216{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D3B5F4C42512BCAB56CCFA1A5D587F8,SHA256=C7F73CED6B9C85F2BE7E6AC6B4DF754D0D810A32847D435FA75CE6D486EC79AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077061Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.235{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-86.attackrange.local56543-false10.0.1.14win-dc-86.attackrange.local389ldap 354300x800000000000000077060Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.235{2F630BB9-8EB3-611B-1600-00000000F001}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56543-false10.0.1.14win-dc-86.attackrange.local389ldap 354300x800000000000000077059Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.228{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56542-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000077058Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.228{2F630BB9-8EB3-611B-1600-00000000F001}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local56542-truefe80:0:0:0:592f:f1cc:15ea:8d47win-dc-86.attackrange.local389ldap 354300x800000000000000077057Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:16.141{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56541-false10.0.1.12-8000- 23542300x800000000000000077080Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.898{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE8FACEFED333C244D0B657C5FAA870,SHA256=5768D0DCEB3E8E86DB1E5A7B39359CBFEF026668F2CC21A242ECB0DA6EC44B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056553Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:19.765{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2620395E67EA2C920DBDBFFCE61B4FC,SHA256=B0C02541EBC0C3B51965E0CBFD6CE0909BD7CAB9B0D666474B4F4A4BA4CF9031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077079Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.714{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\aborted-session-pingMD5=19530CAF86E4904CEE4C618E7E8A5DBB,SHA256=FC0034A4121BDA1C3D27649DC570DD7B432D752E7525F519E73C9E2D450563E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077078Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.361{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D33B-611B-B90D-00000000F001}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077077Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.361{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077076Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.361{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077075Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.361{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077074Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.361{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077073Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.361{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D33B-611B-B90D-00000000F001}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077072Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.361{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D33B-611B-B90D-00000000F001}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077071Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:19.362{2F630BB9-D33B-611B-B90D-00000000F001}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077098Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.898{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6DFE9E17E1A86D28E66877F9CD8BEB,SHA256=3A6CB1A80A0D79A4BB1D903E9FAB2643555DAC68E8CE38F71A24D1F6D4AC4BAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056555Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:18.341{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056554Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:20.780{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D8905936F4BA2DB411DAE2DE6A573C,SHA256=A54DA4165390B0703C56C33C108E9ECE63F11CC9F934B28F9C225DCDE4D96896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077097Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.713{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D33C-611B-BB0D-00000000F001}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077096Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.713{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077095Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.713{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077094Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.713{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077093Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.713{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077092Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.713{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D33C-611B-BB0D-00000000F001}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077091Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.713{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D33C-611B-BB0D-00000000F001}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077090Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.714{2F630BB9-D33C-611B-BB0D-00000000F001}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077089Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.182{2F630BB9-D33C-611B-BA0D-00000000F001}3083372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077088Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.045{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D33C-611B-BA0D-00000000F001}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077087Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.045{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077086Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.045{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077085Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.045{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077084Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.045{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077083Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.045{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D33C-611B-BA0D-00000000F001}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077082Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.045{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D33C-611B-BA0D-00000000F001}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077081Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:20.045{2F630BB9-D33C-611B-BA0D-00000000F001}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056557Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:19.669{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056556Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:21.827{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE27766CCA3019874DCF3C50D2DB2524,SHA256=4B3ABE5E3C71E7E6B060B322277A3C30C55D4D0F5B6A8E96A8023CFE9FCE1C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077108Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.912{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F40DE977FE99955F788D950072C9D5C,SHA256=7CC7C41AEEF170F3FCB3B8CC02BEC1761D279E291B9375DC3CDC8865F51A2C06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077107Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.513{2F630BB9-D33D-611B-BC0D-00000000F001}80327596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077106Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.381{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D33D-611B-BC0D-00000000F001}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077105Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.378{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077104Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.378{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077103Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.378{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077102Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.378{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077101Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.378{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D33D-611B-BC0D-00000000F001}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077100Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.378{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D33D-611B-BC0D-00000000F001}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077099Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.376{2F630BB9-D33D-611B-BC0D-00000000F001}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056558Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:22.874{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9251326C7F8823A8322E792A8C480F,SHA256=460A3E57B733EE5AA907A1D907988A999D666887A005ABA3DA6653C896587FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077127Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.927{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4181E081841294423F490172D5B977,SHA256=5EB1AF0186D5E7045E7722E61663F2ABB5B78F00EE6D102437705EBFD96F77EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077126Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.896{2F630BB9-D33E-611B-BE0D-00000000F001}78127444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077125Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.743{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D33E-611B-BE0D-00000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077124Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.743{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077123Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.743{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077122Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.743{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077121Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.743{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077120Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.743{2F630BB9-8EB1-611B-0500-00000000F001}416500C:\Windows\system32\csrss.exe{2F630BB9-D33E-611B-BE0D-00000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077119Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.743{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D33E-611B-BE0D-00000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077118Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.743{2F630BB9-D33E-611B-BE0D-00000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077117Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.196{2F630BB9-D33E-611B-BD0D-00000000F001}24684152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077116Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.059{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D33E-611B-BD0D-00000000F001}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077115Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.059{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077114Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.059{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077113Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.059{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077112Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.059{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077111Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.059{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D33E-611B-BD0D-00000000F001}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077110Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.059{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D33E-611B-BD0D-00000000F001}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077109Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:22.060{2F630BB9-D33E-611B-BD0D-00000000F001}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077128Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:23.975{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0247C96B62E8E99C3A742384E25EB1,SHA256=2C809B313B1CA2E182320A8012641D67C4046184AF838D9320EEC10377D6ED6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056559Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:23.905{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F9290D39D241B1F1A8AAB8FE5260E4,SHA256=12F4CBD241990044F9DE07830DF232A8743971CFA2C0C3B87E24181FABC62533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056560Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:24.921{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3FDCE7F1F9DCBA3A6F03EBA9B97EFF,SHA256=23D55243C9B9F49B8D2E6F1F80AD6A8B88D9065AC15C6E9336D8A20845447E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077129Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:21.352{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56547-false10.0.1.12-8000- 23542300x800000000000000056561Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:25.921{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5186D4B35C25BBC745009FDCED91CF,SHA256=1D40B959EDB7836577C5FF5C6C87D108EAF753826D8D4FED9344F9043F3321D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077138Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.156{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D341-611B-BF0D-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077137Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.156{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077136Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.156{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077135Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.156{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077134Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.156{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077133Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.156{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D341-611B-BF0D-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077132Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.156{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D341-611B-BF0D-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077131Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.157{2F630BB9-D341-611B-BF0D-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077130Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:25.009{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9819BFF3956B1E344B0284C28F26C412,SHA256=C86F57FAFD781A86E6180216051FCC5932239D8E2818310F7E653C1EED6969A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056562Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:26.952{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3CA649E37DDF05FB078D2C19E205B7,SHA256=E36C057D55EB39F758B9F6F2771513D44822D154F071A891D76B130D719836AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077141Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:23.996{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56548-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 354300x800000000000000077140Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:23.996{2F630BB9-8EC0-611B-2600-00000000F001}2884C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-86.attackrange.local56548-true0:0:0:0:0:0:0:1win-dc-86.attackrange.local389ldap 23542300x800000000000000077139Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:26.039{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75881810DCB516967FF328BE1488CC73,SHA256=9EB045C56918BE9DA48C55D047595AC48B164E10D8B5A5461FAF7CED07C02E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056563Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:27.983{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5C49FACDA9D1469F3DB1DB1E4BF5D8,SHA256=6FCCD55112DB6E8615843B26C9013A4954F15C15738F51B5CB16D331B5EB1320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077159Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.556{2F630BB9-C7A2-611B-400C-00000000F001}57564704C:\Windows\system32\conhost.exe{2F630BB9-D343-611B-C10D-00000000F001}7636c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077158Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.556{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077157Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.556{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077156Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.556{2F630BB9-C74A-611B-FA0B-00000000F001}10763188C:\Windows\system32\csrss.exe{2F630BB9-D343-611B-C10D-00000000F001}7636c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077155Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.556{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077154Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.539{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077153Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.539{2F630BB9-D343-611B-C00D-00000000F001}23125640C:\ProgramData\chocolatey\bin\7z.exe{2F630BB9-D343-611B-C10D-00000000F001}7636c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|UNKNOWN(00007FFF66201F3C) 154100x800000000000000077152Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.554{2F630BB9-D343-611B-C10D-00000000F001}7636C:\Program Files\7-Zip\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exe"c:\program files\7-zip\7z.exe" a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc2.7z C:\Temp\terraform_2622642.cmd -ptopsecretC:\Temp\ATTACKRANGE\Administrator{2F630BB9-C74C-611B-02A8-6A0000000000}0x6aa8022HighMD5=619F7135621B50FD1900FF24AADE1524,SHA256=344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2,IMPHASH=41C55772E303B8488EA464A0538E35D5{2F630BB9-D343-611B-C00D-00000000F001}2312C:\ProgramData\chocolatey\bin\7z.exe7z a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc2.7z C:\Temp\terraform_2622642.cmd -ptopsecret 10341000x800000000000000077151Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.507{2F630BB9-C7A2-611B-400C-00000000F001}57564704C:\Windows\system32\conhost.exe{2F630BB9-D343-611B-C00D-00000000F001}2312C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077150Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.507{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077149Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.507{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077148Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.507{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077147Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.507{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077146Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.507{2F630BB9-C74A-611B-FA0B-00000000F001}10763188C:\Windows\system32\csrss.exe{2F630BB9-D343-611B-C00D-00000000F001}2312C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077145Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.507{2F630BB9-C7A2-611B-3F0C-00000000F001}57725776C:\Windows\system32\cmd.exe{2F630BB9-D343-611B-C00D-00000000F001}2312C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077144Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.518{2F630BB9-D343-611B-C00D-00000000F001}2312C:\ProgramData\chocolatey\bin\7z.exe19.0.0.07-Zip Console - shim7-ZipIgor Pavlov7z.exe7z a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc2.7z C:\Temp\terraform_2622642.cmd -ptopsecretC:\Temp\ATTACKRANGE\Administrator{2F630BB9-C74C-611B-02A8-6A0000000000}0x6aa8022HighMD5=52F8AE90DA55C6327F479C282707B659,SHA256=82A435626764FB4893A1340C465B1AE1F906E582258CE8787C0C44167634A41F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{2F630BB9-C7A2-611B-3F0C-00000000F001}5772C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000077143Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.042{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCD7B4E321E6781CB516C9FF30EC494,SHA256=8A364EBC6EAE8A63F2294DC424EC4F5065C70C9963AD49AD566B261888CF805B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077142Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.041{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\respondent-20210817102610-284MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077161Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:28.061{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526B31B754E002DA2AA0327A11AC54B4,SHA256=8B32CAA5D6FF9E2121E5CEF3FC0B91CD1CE5D26A7E8800F9280BC3316A3667BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077160Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:28.055{2F630BB9-8EC0-611B-2B00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b73b8e80349b1200\channels\health\surveyor-20210817102608-285MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056566Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:28.624{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81A19500E6EACE0CCF47762D94C0462,SHA256=1007BAD49AC732E67E8D4C7C9BEA36C0CC3EBF237F821E2DB62B28A6ACDB9760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056565Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:28.624{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FF254A266254D3EE4087D8B2C094272,SHA256=B1C3B51A4915E359E2EAB3F4B718530912695A91BF318BD8A8BCAB03513B56AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056564Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:25.669{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000077169Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:26.756{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53201-false10.0.1.14win-dc-86.attackrange.local49676- 354300x800000000000000077168Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:26.746{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56552-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000077167Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:26.745{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56551-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000077166Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:26.743{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56550-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000077165Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:26.716{2F630BB9-8EB1-611B-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53200-false10.0.1.14win-dc-86.attackrange.local49676- 354300x800000000000000077164Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:26.715{2F630BB9-8EB3-611B-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53199-false10.0.1.14win-dc-86.attackrange.local135epmap 354300x800000000000000077163Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:26.710{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56549-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal445microsoft-ds 23542300x800000000000000077162Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:29.071{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9410313428FA5939D18F69FC555579,SHA256=4880574564CB2A12F20A2004CBD2A2ECA14AE785280906F31E32A331952EB27A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056574Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:27.093{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53201-false10.0.1.14-49676- 354300x800000000000000056573Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:27.084{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14-56552-false10.0.1.15win-host-316.attackrange.local445microsoft-ds 354300x800000000000000056572Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:27.084{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14-56551-false10.0.1.15win-host-316.attackrange.local445microsoft-ds 354300x800000000000000056571Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:27.081{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14-56550-false10.0.1.15win-host-316.attackrange.local445microsoft-ds 354300x800000000000000056570Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:27.054{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53200-false10.0.1.14-49676- 354300x800000000000000056569Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:27.053{8A88D375-90A1-611B-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53199-false10.0.1.14-135epmap 354300x800000000000000056568Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:27.048{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14-56549-false10.0.1.15win-host-316.attackrange.local445microsoft-ds 23542300x800000000000000056567Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:29.030{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8940D625126999B69F9B6C2D5AF4F034,SHA256=E70F07279C6B516B173C2A345E62EE2814451230E467F20FF6192475F1B828D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077171Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:27.394{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56553-false10.0.1.12-8000- 23542300x800000000000000077170Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:30.090{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2E567900530265A85455311971AA34,SHA256=3ECA37BE9175F965B98FF0AD2A552EC1599A5752AF0C445A65D26806F5BF3B52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056575Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:30.046{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBDAFD6438A1B57D50335B3A07D4F41,SHA256=BFA34690921C37BD4C93BE49550B410BE17BEBE6BC3736E153E0A9A8CE0778DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056576Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:31.077{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C538A8D02A4869F7C092D41A3079EF73,SHA256=CF3ACC74B6C71D08DE12A89987C9B511F6E34F9EABF751051B115451BD941727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077172Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:31.105{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F2784C6B1D04EC40206C62D90AAD51,SHA256=7A4D9869F9D4E4146D24387A9EB1072F50D98537532F5311FCF42E6B39D372DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077173Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:32.119{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AFD1CCC76B80EFC50695FAAC7AB0EE,SHA256=27E67DE1A3C5E624E8BB47EEBE322E71458087A5C1166D8D27FE6894C6CB9D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056577Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:32.124{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C6BAA9DECDE8254C2223B3F5D101F0,SHA256=64E26A0FAAC4CFF5B843BA12342CBAF94678B9B64CE42341FF807F09EE3E503D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077174Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:33.149{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1B1CD0D85CDE95D6D2AF955ED7DBA4,SHA256=A7574D8AF352C594B024B30CC002A3589FB39764B669C5D1405BB7DB9BCB2535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056578Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:33.140{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4333132FD2E90B5E78ABE1E50A94C4,SHA256=A8F410574FF2BEF2CA1F436262E0D2C144F4C42CEC769B2D494D707F96171F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077175Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:34.170{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B8A3BBC8C484D61150DA64DEE9C88F,SHA256=7DE162D97098E21E9AC11644140440B48FB74494031A4CCE3DBF0530D5E676AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056580Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:31.685{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056579Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:34.153{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E06B59F9BAE013A5422FCFEC3E7823,SHA256=BAC255B696823FFBF18BAB9F1AAC869B572CE9FFCC10D64E8DBD04C098DA32B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077192Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.669{2F630BB9-C7A2-611B-400C-00000000F001}57564704C:\Windows\system32\conhost.exe{2F630BB9-D34B-611B-C30D-00000000F001}6136c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077191Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.667{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077190Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.667{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077189Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.667{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077188Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.667{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077187Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.667{2F630BB9-C74A-611B-FA0B-00000000F001}10763188C:\Windows\system32\csrss.exe{2F630BB9-D34B-611B-C30D-00000000F001}6136c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077186Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.666{2F630BB9-D34B-611B-C20D-00000000F001}35724624C:\ProgramData\chocolatey\bin\7z.exe{2F630BB9-D34B-611B-C30D-00000000F001}6136c:\program files\7-zip\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|UNKNOWN(00007FFF66211F3C) 154100x800000000000000077185Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.666{2F630BB9-D34B-611B-C30D-00000000F001}6136C:\Program Files\7-Zip\7z.exe19.007-Zip Console7-ZipIgor Pavlov7z.exe"c:\program files\7-zip\7z.exe" a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc3.7z C:\Temp\terraform_2622642.cmd -ptopsecretC:\Temp\ATTACKRANGE\Administrator{2F630BB9-C74C-611B-02A8-6A0000000000}0x6aa8022HighMD5=619F7135621B50FD1900FF24AADE1524,SHA256=344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2,IMPHASH=41C55772E303B8488EA464A0538E35D5{2F630BB9-D34B-611B-C20D-00000000F001}3572C:\ProgramData\chocolatey\bin\7z.exe7z a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc3.7z C:\Temp\terraform_2622642.cmd -ptopsecret 10341000x800000000000000077184Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.615{2F630BB9-C7A2-611B-400C-00000000F001}57564704C:\Windows\system32\conhost.exe{2F630BB9-D34B-611B-C20D-00000000F001}3572C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077183Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.615{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077182Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.615{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077181Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.615{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077180Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.615{2F630BB9-8EB3-611B-0C00-00000000F001}8521844C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077179Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.615{2F630BB9-C74A-611B-FA0B-00000000F001}10763188C:\Windows\system32\csrss.exe{2F630BB9-D34B-611B-C20D-00000000F001}3572C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077178Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.615{2F630BB9-C7A2-611B-3F0C-00000000F001}57725776C:\Windows\system32\cmd.exe{2F630BB9-D34B-611B-C20D-00000000F001}3572C:\ProgramData\chocolatey\bin\7z.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077177Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.623{2F630BB9-D34B-611B-C20D-00000000F001}3572C:\ProgramData\chocolatey\bin\7z.exe19.0.0.07-Zip Console - shim7-ZipIgor Pavlov7z.exe7z a -tzip -mx5 \\10.0.1.15\c$\temp\topsecret_dc3.7z C:\Temp\terraform_2622642.cmd -ptopsecretC:\Temp\ATTACKRANGE\Administrator{2F630BB9-C74C-611B-02A8-6A0000000000}0x6aa8022HighMD5=52F8AE90DA55C6327F479C282707B659,SHA256=82A435626764FB4893A1340C465B1AE1F906E582258CE8787C0C44167634A41F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{2F630BB9-C7A2-611B-3F0C-00000000F001}5772C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000077176Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:35.185{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A0AC073C2185676B4DFCBB9D0C745B,SHA256=1C8BBD08C7D049024A43411FB2C992D3F9664834CDDB8838BCF502469057A411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056581Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:35.185{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E220FC71287D9E342E22954C00DB7C,SHA256=C340B838891B466C94545266934529721188255A6FBD269ABE507F130B836581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056584Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:36.685{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F560D727FA54BE48C9DFB0DEC5AC8416,SHA256=DEC52CB8425DEDC3FB92A527D6EA40F56053F42D35C8FEF4C6CB35C06C691329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056583Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:36.685{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81A19500E6EACE0CCF47762D94C0462,SHA256=1007BAD49AC732E67E8D4C7C9BEA36C0CC3EBF237F821E2DB62B28A6ACDB9760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056582Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:36.200{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93CA993221DBD31FB7F893425ECA415,SHA256=0F692D2EF6AD19E32BA322FB987F886CA2F104FFDE1C81D7B3A54A0EACE0ED49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077194Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:33.357{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56554-false10.0.1.12-8000- 23542300x800000000000000077193Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:36.215{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C522AF03BB16B6732CA7FACF4441075,SHA256=71892EB308F7707DBE98DD5F8EBB57473DFC1DA1FCF0D952F58D88FB43908C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056585Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:37.216{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB22BC590C532CA371B573DC80A00D2,SHA256=41C54C392AF756BF6D35F36FB5B26F9DDB17525D1AEB98972149F3D63ABEE27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077195Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:37.229{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33ECD844D9EE3AFEF858477B3DF63AD5,SHA256=5712AB2E35F6B44F09EFF7EC809DA66CBFDD113CE9CD3AEB8DDEB032183D4AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056586Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:38.247{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F53F975A261F1848DCD736F6F72E596,SHA256=81247C6A1842DD548FF1C4DCACA6E8CBFFCFCB311C0C01329402633FE4B08FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077196Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:38.244{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA1962B090EDFEFE17BD75A2725ED44,SHA256=1E11F535FE0EA127AC41203452A1B94AC98BA79E3D144478B9589200AA8FE9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056587Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:39.310{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C508A97CFF2460B7FAE4F366F965E296,SHA256=0D4D48A0FD3C122218FF61F57418C484AD5768EBE3D53FDD144B988E4F681BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077197Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:39.262{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C28194FEDC70E2F503658B7EF1EE7B,SHA256=EFF849B256FBA4B4107351BFFCD12A460C10045212C2FCCDA53C42450211EA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077198Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:40.279{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B92371453BD39C74F7AAE880356D1D0,SHA256=AF1B7EC0042A3EEE0DC18A958DF57283B374344A26BB283CC8082B421B45484B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056589Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:37.558{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056588Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:40.341{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2BD95FC3ECD9F0A80E89683510FC1F,SHA256=B140F4005E304DC90D7FE7FC7CA454748BF38B41B5242B8878B8AB57E7431105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056590Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:41.356{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476DC69D66A49A706D53345004CE7D1C,SHA256=284DC855B25B8E3F84609AB832154BC598ECDBABCAB8F945699DAB4A22AEC6B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077206Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:39.297{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56555-false10.0.1.12-8000- 23542300x800000000000000077205Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:41.378{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=242ECD26936C4FCE9FC0DCD063B5E0AC,SHA256=10F577A750EC667D5C859BE75D61237F506023B78146E49ED65645FF56892D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077204Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:41.378{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=90B029DCE662626ECFF88FD7F6A9C943,SHA256=CCDEEF5E4006882EE454D5401B6A12611AAEC225E3639C66A154C5FAABAE98C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077203Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:41.378{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=14EF3869DEAFA46B7B8C393C21903D72,SHA256=67C724F897197C4044FB47D75F2E8408F06E069078DE77E6C1DDD25476430159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077202Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:41.378{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=7B127550D4012219545713B5D8711ECE,SHA256=91E32FC15E26FDDC09C755395B5A6CD897D8B7BE7CB968DAC8A80E223430A6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077201Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:41.378{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=9806C69736B058F09715462B43721FB8,SHA256=048B2E62FFFE2D2B1E1A76F5C32DB30C066D5C7F773200E892DB3451F9E094D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077200Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:41.378{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=8BAB601E759DE9A7F2C597FA21D5CCED,SHA256=9E16417CE238DAE5C188911BA80514DF7FC61D84696CCC6EB417907EF6A40750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077199Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:41.310{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA72F1663CDD0B54514CB6FDDF8E20CD,SHA256=A57E39012DF0CDA29CD526A0F8641EB9442E0C4F1FD3AE770B199D3FB63D538B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056591Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:42.388{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F78879D90F07B839EE04C8F864BEDA8,SHA256=35765CD8A23D6382FBD447FF6821C98A42EA54E8BDBE470E707DB857C93E1040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077207Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:42.324{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A839EDABB47C7353BF2B884053718B39,SHA256=2D86301AD19595C9F8778BA9CFBDAB5F12E5D62E31D702B3CC6A0AABA61F7E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056592Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:43.435{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AE6DA009485789582933440C3E17F0,SHA256=60BFD7E892A9D847E7D0C22C03CE290F3528FE7F6E830D16F7EB3F6AB36FC0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077208Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:43.339{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F121079050615547033376258B69773A,SHA256=19D6113D376510B9EC14FC2CE0D2FA4EBEE8BB82889E819C7B4D0E24E03F30F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077209Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:44.355{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09892C83F1D80F57A4DEAF904C3AA3D,SHA256=84B0DF3C6002B77D796F0B99CF765579977C803EAF24D3D22D8CEDDE91DD46EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056594Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:42.636{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056593Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:44.435{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73467D7F3837BF557E852B167EDB444,SHA256=83C3CDDE93E7953CF962738F8ED12CBDDE2D3787B6E0431A2A0640C894B62243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077210Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:45.390{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A32CE5E56C1B5779014DEDD04710985,SHA256=FA0DAFA64715AD9AC45A3B7672326B055A5E29E84D3AFEB0568403A3DD8849E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056595Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:45.450{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0105BED7ADA70552B433197129F75B97,SHA256=927F7911C2B06BE7131EF43B3D7ABC174FED1B7712CE45A06DD5B6E06440A737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056596Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:46.466{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B655CC20C5C6EF3CF97D567EC37264E,SHA256=5924C3A48EA20BB231544B28941C5B25AAEE1F10C977C85EA3E1BE1600E1E1EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077218Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:44.392{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56556-false10.0.1.12-8000- 23542300x800000000000000077217Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:46.404{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC4E68C790C396BA8C4979CEE9B3306,SHA256=F4333FED39DA02370AEAF0C279F9CADE13EE6A7F3D11E556B9BA98F289BB8977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077216Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:46.389{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=57C3484FDEB4AF16EDD76322CE739976,SHA256=816D91B2DE1B3F768192C20F3967B68F771365391654BEF48D988716A73F7A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077215Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:46.389{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=CF954D56270EB99477C5BD2C3618B53F,SHA256=E550C9269C762DC609F35496B7B704C5382E5084AA7337A0518225C87BC28415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077214Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:46.389{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=84BE71F86F7786A8247539E6564C373C,SHA256=DB91A7EC1868F769FB94F91C480B5452D021906C052BF4FA09DC56049FDBB41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077213Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:46.389{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=4BB72654FD5A7A34FC672C390A0BC135,SHA256=3EE4A73E6A4FE57C23E8ACE767931A013C466FD2E9F8E6AF7DF58917DA421618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077212Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:46.389{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=5F99B833E720F0BEB713D40A89B6CDB0,SHA256=055E83E45FEE6B489EBCDED7833E718992AD51AEFEEDAE5F3D07DC727603689C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077211Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:46.389{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=4BA04A733744219520AECF7A76433604,SHA256=E06F5D7B656702A4E36E25A3E0A3811DAF06FDAD11A7B43910D224EEE9993BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056597Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:47.481{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEF6D253B84E8FBE7798D2B498EE55D,SHA256=289300661F9943B7B4B22F118977072BEDE2D3B6672D9CDB3FF92BFB32658335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077219Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:47.419{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5F2085B7BFFF60D6D6EDA66F15BFAC,SHA256=CA911118BC78DB4AAFB4F481EFB712F2D86A571C4969EDC135A4EEE466D7FE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056598Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:48.497{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DF8F23F106821C430FC7FE1CCC1D7F,SHA256=E55EFCD56C0D9F4F6CF7EA759DE3CD90B3EF83909A88FA6273063A9B7B48DC3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077220Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:48.433{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81336150F24B5C5A7C995399A2899167,SHA256=DDB6C6E94B77CDA98EA1AC7905D68B4586308E1DC5A86D93586ED6F5B741BC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077222Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:49.450{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC91344D0DB542FDE063768FABA924BC,SHA256=47AEACF4AAC133086504FA93E61E9831A0A3068F07D23462C3EF9C8C2C6491F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056600Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:47.667{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056599Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:49.513{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC91AB8B2E78CC1BD0BAD40DDD46839,SHA256=DE78FD88EF4154B7A5086DCCA719D2850FC113A0E8777F4A5D68E56C89CE6F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077221Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:49.270{2F630BB9-8EC0-611B-2C00-00000000F001}3036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077224Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:48.388{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56557-false10.0.1.12-8089- 23542300x800000000000000077223Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:50.468{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E6BDB569BE84533B132BC254FC6922,SHA256=841ECE2083647A396A3DBCF48F85A0305B7A6790B1F122334C0C9EA6B3C06A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056601Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:50.528{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556FA9A6B1CA8B77C4828AA0097AC60D,SHA256=EEF7D17670E792D74AA4EFAD89F4897016D6ED1F128DF18292AF58FC3049DBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056602Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:51.544{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733CB799D40C09DDF7FF7A16F6FEA732,SHA256=179AC40A8D9BA1A4A52117817670B8D425DC1DADE3085A9297B5AAB08EF1E899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077225Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:51.483{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E836F4422FD7DFE3D98775B84CD75C9E,SHA256=6FD215D79E4EFEFFDF999B4E3E1E3BECB735B967BDEF1B558455C117F41563B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056603Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:52.559{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDC6BDD3E53E45917756173A3C33E7E,SHA256=807280B5E101BD1903408209C6FEF11B82C3C9DBA5402B78294405FC481E2DB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077227Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:50.323{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56558-false10.0.1.12-8000- 23542300x800000000000000077226Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:52.497{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E547DEA7141F84BFE9F83ABAB107CC,SHA256=9D1AAE06E287AC9DE674CF4492B170F7B0A4566675B2CD2AE170B1ED24F875AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077228Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:53.512{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99E8181D89268847BA0CF2F42D1CA1A,SHA256=B3F345EE9D61AB56D54605BBD462BB376FC5B76C21DE624495025EAB80519B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056604Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:53.591{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE269A6DFF6B7774429BAC8784288F2,SHA256=84B9C64E6C57F6490927694541A20D846684090EF9CBF5C5D0EBC5C67F0CE276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077229Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:54.527{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0275FEFC33FFF9F0A6A06B6BDBDEF1A,SHA256=339815506A2AD52B2743A1F7C147089056DFAE12D2F5BA2B8E78A22A0967B182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056605Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:54.624{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73196D41EEA742130D5B3969C58CCEEA,SHA256=31347BF394579D5E1861AA27EA06F3B0936680B799648235D1FA56A8B9C3BC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077230Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:55.544{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5DEF540F4B15B5F36540EDAF921D1BC,SHA256=46B10818583DCF0D6473AA895336DA070B3DF6A7DF1A1B491409DF11019CB5C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056607Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:53.654{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056606Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:55.655{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7040007F9B2C6738859E72A889FD8462,SHA256=998CD8E7A4230F6D783E0D61B68F8F259B7C9ACBAE01A6530BC3941D32E8BDD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056608Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:56.671{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419970663DAA989FC7F1346DD9C41923,SHA256=7C490E08C66A91FDA12F7FBD53066ADECA9BF7E06FBC99E1A1BF550751DE1FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077231Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:56.593{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B921CA8CE5F7EBA2F05CF0C27062C89,SHA256=A34C701E6B1BE6AC475AF80E13FBD4422736896D82AC49841A403A7C599729C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077232Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:57.623{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC15548C04B367B35E96208E63FD54A,SHA256=1EBEB5E7EF6C92D3AEBCABA1164B3C86B3532890E7232F496773DFB70413BEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056609Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:57.686{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3146516BF7008CD8B0034620B5DE8D6,SHA256=7CF630919813484DC49F1F74D432A982F85068A8534316E03197A53581F38B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056610Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:58.718{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFA5666237BCFAFC9F0815A9EFD1F59,SHA256=4FE7A9724A2C2F2FB0BDCE8FDAFC241E710E34AAA9A7FB4AA287FCC1B8E1F1D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077234Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:58.737{2F630BB9-8EB3-611B-1000-00000000F001}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1D916B24B6FE1EB9B5E75C42B76E3A48,SHA256=DCC40CB73CABDA1BA7C62B62C0D2EECB8AECB838ADE8C18013BD7BBD5A67E9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077233Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:58.642{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C539E44A3CBCD3AEDAB033B3EEDD321,SHA256=69A46EE4814111E3CA1F4BE19DB75F68CDEC1A5B838D2436D98D314681211B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056611Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:59.733{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173C249341170256E29CFD89870690F9,SHA256=E3127553B9912A6F8951BA398CFAC34E50F8D473DCC4756465AB0733A70223BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077236Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:59.657{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9682952FD0C5F79A48B8F77993A05845,SHA256=90E8EA7931AA48AEF7F2BBBB4CA3A0FBD5F32D1595B58138857831691E2E823B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077235Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:18:56.282{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56559-false10.0.1.12-8000- 354300x800000000000000056613Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:18:58.684{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056612Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:00.765{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1D92E6960F0C31A88237C9D79AE09B,SHA256=1FF286217AB7B0A5074685A41F49F73A9F40890EFC87F248B7086A235DB66C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077237Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:00.719{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F03D9CA024CC4B403E519DF6904462,SHA256=5D95F52FFD59F21FFE8E774BB847DC740D2FA8148C7486210EBE436394A0175B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056614Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:01.811{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBF71432DF6091FD8588888FCA39767,SHA256=C084CC8E7E2E6C8DD741AD12F7A3535A0A24BAB67FCBEB207AA45A8A73D2A3E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077238Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:01.755{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD05F6B39B6EC6AD6F126DFE85FF9759,SHA256=1864D4F7A44F3A8C3FAAAC0925EF1C245C22B5089654150AD34015FB8AA115C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056615Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:02.827{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C33111ADE0FC8CB20CE80C0CA112F64,SHA256=199B5294ECC867DB499D0B14349F62916B32CCDE53FCE43DBCC9EB04C7F1C21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077239Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:02.785{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4D25A5E04D12BF73BD8B9FD8E16DDC,SHA256=21EAF2B994BA08FBB9C54B2E7E6BDC811D9A696548B712FAAF811D19276F0DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056616Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:03.843{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073BAA192EE80532864304F4DF3D2BE5,SHA256=FBF6B95B6731244E737CBDC49A39A4D24BC1F4546CEFA148EE2EC13F63F1BC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077240Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:03.816{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178A9B114D7115CC48D3927D50F11F0B,SHA256=5EEE8702D2336EB3C6D8F1244F3392516A90391CAA41D820AFBAAB17D10EF379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056617Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:04.874{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66BAB79070B4D6C8F1D8605E7AEBB66,SHA256=1753FCEA2307B7B40E5A110F97056F63BEF120F606A741F4D5C67A82A5FE5373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077241Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:04.833{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81733ACDE43BC69B6FE53D2D1B5B5AF8,SHA256=7C2AABE5514363E5AD7BB808D9CEE60DE27F1584BEBF7A5CC550639E0D5D5AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056618Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:05.889{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F996CE289CD479B9F764C43770C9CC7,SHA256=8EAF9C6018F83C9BB55D5E6C08021775F368C45EE96FF00610D3D570AA2DE6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077243Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:05.851{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B44BB0857A3AFD4D06A9B205F371624,SHA256=613D6D217AAA5FEFDBBAD384DBCD45549040B852A07CFEE823FB9B79EDDDF1D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077242Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:02.225{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56560-false10.0.1.12-8000- 23542300x800000000000000077244Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:06.881{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18779573C1A4C84353E90C34F4CEEB7,SHA256=76176FC34715393725D7B8771E98D331C5F644B810CBA483C447E8C8A71C28FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056620Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:06.905{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4169C1A38A22290EE1947B84C68A7DED,SHA256=91043CBBEB3492FA95583383DCC9EA661B7B9EB476856DC0698D55D2525735BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056619Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:03.747{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056621Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:07.936{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D42AC75A5B43290D3BA2EF68527A851,SHA256=348D70481ADFDFBC93D6EFF33A4B9BAAA3AB83109877C982BD53C8C53FCE705C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077245Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:07.912{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5A396707EE10F5117DC5C650F4BDF2,SHA256=9DE5AAE5EB7C678C8E7CFB437D17C0BAC7CA239CE17A6579DA05036B41B825F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056622Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:08.952{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72F175BE74D9CDE3A01764B60F6B2E0,SHA256=98A941F09B06B2F3A407E400A78DCBB156BA2755C7EC97FD9F7955F011B62A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077246Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:08.929{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C58FBA488CF7E5423B993E22783A63,SHA256=38391A5C6221D791D02539041AB034FAD3D6CFBFCA269F597602CFF04366C190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077247Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:09.954{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD20D411BF18B2FB64506760E4F1F387,SHA256=332163B043AE27F6E501901FC3B48AD054320BF663A9D688AE8BC4D22C731467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077249Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:10.970{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3A9E97BA20B52A44D0D3D80855DEFD,SHA256=758DE323D6A55C33955EC51121956958C3625EF942B7265E68EE212D98B464E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056623Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:09.999{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FAF55E694276F1B323D8F8410E4B7E,SHA256=A19996316439EDF3E70BB93E09F8070DB7EC58F7A93D4600EA6A69BF058A705C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077248Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:07.389{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56561-false10.0.1.12-8000- 23542300x800000000000000077256Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:11.984{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47743930EB9B59A9B8944FAEBB63D120,SHA256=73AEA07C5A6FD972C13186C8E0EC33E4C563457119E035E44B21774B244AEC12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056632Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.968{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D36F-611B-CB0B-00000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056631Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.968{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056630Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.968{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056629Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.968{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056628Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.968{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056627Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.968{8A88D375-90A1-611B-0500-00000000F101}4161772C:\Windows\system32\csrss.exe{8A88D375-D36F-611B-CB0B-00000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056626Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.968{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D36F-611B-CB0B-00000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056625Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.968{8A88D375-D36F-611B-CB0B-00000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056624Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.014{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C64E223A5409940F8375B8743D8C480,SHA256=6308706D18B4E138F90B38EEE798E12D16DAAB835F080340843985A55BD11C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077255Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:11.469{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=F098289BD404699FCD579230D56D3060,SHA256=95E36A74275106B6BA2CDD81ECBF5BC0562192A2739E5A8D024AADBF6F26D3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077254Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:11.469{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=6E268F2DBAEF549B6A2013CC397AB252,SHA256=161D67564870908C8BF35736D1B651A729242385AB0DA8660C171215A4C3DFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077253Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:11.469{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=374E2BD8D93415611DB0A8F219C78483,SHA256=0213B00F40AC9CEBA9B7E11CFE9F9C0AE56250D04BCAABFC007B7D29026C1701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077252Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:11.469{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=6CCA808E68EA59DD04A39EBF41A4AB86,SHA256=7AD7AC09E93B952C168CED67E576B98BED51547C4E455730EA592DFC6218EE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077251Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:11.469{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=A716C04650A8D56799B665F19D3B6374,SHA256=32F9D3867130E6CEA355A6D0FC8DD09E36165585E97F56E66AC89245B482737F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077250Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:11.469{2F630BB9-C763-611B-240C-00000000F001}1128ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bwvzjk4k.default-release\datareporting\glean\db\data.safe.binMD5=C503CD5A4468295F893768E5E1FC58D7,SHA256=31F004CD001461FDACCBEA128814E0ED2437825EF32030E90ED1733A2742959A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056644Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.936{8A88D375-D370-611B-CC0B-00000000F101}21005672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056643Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.718{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D370-611B-CC0B-00000000F101}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056642Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.718{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056641Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.718{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056640Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.718{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056639Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.718{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056638Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.718{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D370-611B-CC0B-00000000F101}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056637Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.718{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D370-611B-CC0B-00000000F101}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056636Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.718{8A88D375-D370-611B-CC0B-00000000F101}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056635Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:09.747{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000056634Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.296{8A88D375-90A1-611B-0B00-00000000F101}6325164C:\Windows\system32\lsass.exe{8A88D375-909F-611B-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000056633Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:12.030{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BFA4A57168A6C606288A00B4B2CFFD,SHA256=CF8DB630455CF678EAEA41620C58C1F570A0FD5608D014FC3C213774F1BA580B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077259Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:13.314{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D0DDFDA4B9600194305F0AEACB0022,SHA256=5FA6F4B3FF30D833E7ECB5F3718931093F186DE47880CFC2CD55F3AF95EFAE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077258Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:13.314{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AE7C36F313123658234A256CDD8B15F,SHA256=DEE078F0794A6929FDD250A1C98FB784B203358A21386FE91A99B44CF6B76E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077257Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:13.014{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B382D740C9638420F7F2AF8AC0C5C41C,SHA256=26174C38B3CB9A4E73343F8137B40014225993D8127260CD71B3BD14D3090EE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056662Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.889{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D371-611B-CE0B-00000000F101}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056661Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.889{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056660Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.889{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056659Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.889{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056658Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.889{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056657Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.889{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D371-611B-CE0B-00000000F101}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056656Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.889{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D371-611B-CE0B-00000000F101}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056655Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.890{8A88D375-D371-611B-CE0B-00000000F101}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056654Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.561{8A88D375-90A2-611B-1200-00000000F101}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6281DD3C6F7D3B0E724E2DD2BAD7837C,SHA256=5FE713F1361224EFF8F31B1F2333626317FCC824F4EFEAAF0034041D8A56D8A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056653Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.218{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D371-611B-CD0B-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056652Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.218{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056651Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.218{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056650Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.218{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056649Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.218{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056648Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.218{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D371-611B-CD0B-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056647Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.218{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D371-611B-CD0B-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056646Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.219{8A88D375-D371-611B-CD0B-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056645Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:13.046{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B99066A1592F3CD7996BED8BC7BE5B,SHA256=F15508718DC889AB4ACE85BB493B5C1DC8371A3FE56F2C9955AB3484B381683A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056665Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:11.776{8A88D375-909F-611B-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53210-false10.0.1.14-445microsoft-ds 10341000x800000000000000056664Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:14.144{8A88D375-D371-611B-CE0B-00000000F101}44681336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056663Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:14.066{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD5B3DC05BC7E9ED0D938F6867614D1,SHA256=24F7D710560FEBBDF468EFC53D5D09D9380EF94D14FBF89C102F96E67016C3B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077261Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:11.439{2F630BB9-8EAF-611B-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53210-false10.0.1.14win-dc-86.attackrange.local445microsoft-ds 23542300x800000000000000077260Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:14.035{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5C313AA942E868F813DFD6FD36DDEB,SHA256=DAE42895EBBC40A222D3F11759F41933FF022299245BAD10517D723185988DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077262Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:15.049{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29BAF8427B4B530FA38353101A2D022,SHA256=7D69E16A32869D941B299A0F3685534E6908A31079C7E549AC816536F50132D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056675Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.942{8A88D375-D373-611B-CF0B-00000000F101}544832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056674Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.739{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D373-611B-CF0B-00000000F101}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056673Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.739{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056672Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.739{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056671Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.739{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056670Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.739{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056669Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.739{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D373-611B-CF0B-00000000F101}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056668Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.739{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D373-611B-CF0B-00000000F101}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056667Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.740{8A88D375-D373-611B-CF0B-00000000F101}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056666Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.083{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780AEA22A88F8DEB04C34E0B9488A0DA,SHA256=449569DB62ABC560547C16E0712EC2801ADFA199E86680D2D6BCFD897AEAE970,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077264Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:13.221{2F630BB9-8ECA-611B-6D00-00000000F001}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-86.attackrange.local56562-false10.0.1.12-8000- 23542300x800000000000000077263Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:16.079{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE6485D77D6E88744F61D67A7DF4A2C,SHA256=96C8192078DE30592F43CAB7AEE5B910D8B1384981D31C755B877CBE423C00F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056693Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.911{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D374-611B-D10B-00000000F101}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056692Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.911{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056691Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.911{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056690Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.911{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056689Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.911{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056688Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.911{8A88D375-90A1-611B-0500-00000000F101}4163168C:\Windows\system32\csrss.exe{8A88D375-D374-611B-D10B-00000000F101}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056687Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.911{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D374-611B-D10B-00000000F101}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056686Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.912{8A88D375-D374-611B-D10B-00000000F101}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056685Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.677{8A88D375-D374-611B-D00B-00000000F101}19922472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056684Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.411{8A88D375-9115-611B-9E00-00000000F101}2080508C:\Windows\system32\conhost.exe{8A88D375-D374-611B-D00B-00000000F101}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056683Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.411{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056682Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.411{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056681Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.411{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056680Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.411{8A88D375-90A2-611B-0C00-00000000F101}7365924C:\Windows\system32\svchost.exe{8A88D375-90A3-611B-1B00-00000000F101}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056679Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.411{8A88D375-90A1-611B-0500-00000000F101}416532C:\Windows\system32\csrss.exe{8A88D375-D374-611B-D00B-00000000F101}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056678Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.411{8A88D375-9114-611B-9A00-00000000F101}22963356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A88D375-D374-611B-D00B-00000000F101}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056677Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.412{8A88D375-D374-611B-D00B-00000000F101}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A88D375-90A1-611B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A88D375-9114-611B-9A00-00000000F101}2296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056676Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:16.083{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B778A0B19587BC8F028FC2EBDF3545E,SHA256=2EDA539341B0F212C79BF324A4CFE46F2AC586B86A97F6DE5D77CF70CA341511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077265Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:17.129{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917C127C249333BB9993878C3925EF59,SHA256=DD07644F1BDF7E79B26AE9BED72C9CE65F431B8F8FDBCE17033CF28307943E15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056695Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:15.534{8A88D375-911D-611B-CA00-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-316.attackrange.local53211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056694Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:17.098{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7E50B34CEE5103B22BE3B87779D9F0,SHA256=50B85FC21C68360C3B22F1E8CC3588945F6CCD25B540AA18639C4994BB729EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077267Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:18.146{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A86BD1F3537516A564DE3E6C368AD5,SHA256=1BFCE34EFA35CEB5665358D469C2377B40701AC277B439B20D443F7108EE5372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056698Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:18.896{8A88D375-9114-611B-9A00-00000000F101}2296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8C2265A416AF30CFDCA26135AB16073F,SHA256=760996B203501FFC24D52066361082E7DD13F0A034AFEF58014B56F2B6E55892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056697Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:18.318{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B978A416C6B7C74B454A95789A7EF8,SHA256=890E8B15186348FF8BBEFE325AC4583F053CB1B6EC56C2B40A412A04EF3C26D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077266Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:18.093{2F630BB9-8EB3-611B-0D00-00000000F001}9083088C:\Windows\system32\svchost.exe{2F630BB9-8EB3-611B-1600-00000000F001}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056696Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:18.070{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\respondent-20210817103413-277MD5=08790323BB083F1ED681882E0F9C309B,SHA256=DCA5F295A3539AF945080BC730716EBBC1F5C7D06F515A53A05C82DD446C374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056700Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:19.348{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B6AEA05142B945A5468EF3E1DBCA69,SHA256=117FDF0E878DEEA11D292BD14FE1CE66581F489C42C88BF5039813547A32814A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077277Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.560{2F630BB9-D377-611B-C40D-00000000F001}46646484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077276Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.376{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D377-611B-C40D-00000000F001}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077275Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.376{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077274Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.376{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077273Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.376{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077272Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.376{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077271Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.376{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D377-611B-C40D-00000000F001}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077270Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.376{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D377-611B-C40D-00000000F001}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077269Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.376{2F630BB9-D377-611B-C40D-00000000F001}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077268Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:19.176{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3DC6572369EC5A73E1965B77AA585A,SHA256=0DA3696600FE994B090C9C507C62AFC54422FCD71CA92720F672E97F6CB5B117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056699Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:19.069{8A88D375-90A3-611B-1D00-00000000F101}1956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0aaabba9c1bd47e71\channels\health\surveyor-20210817103411-278MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056701Microsoft-Windows-Sysmon/Operationalwin-host-316.attackrange.local-2021-08-17 15:19:20.366{8A88D375-9123-611B-D500-00000000F101}3468NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A1B0AC1960E43A2CC571E219DD3433,SHA256=29F374DF88429BCF5D5096995B5CEE9534C81419973DA40AC97ED64F68C150B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077294Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.727{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D378-611B-C60D-00000000F001}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077293Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.725{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077292Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.725{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077291Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.725{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077290Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.725{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077289Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.725{2F630BB9-8EB1-611B-0500-00000000F001}416432C:\Windows\system32\csrss.exe{2F630BB9-D378-611B-C60D-00000000F001}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077288Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.724{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D378-611B-C60D-00000000F001}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077287Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.723{2F630BB9-D378-611B-C60D-00000000F001}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077286Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.191{2F630BB9-8ED1-611B-7600-00000000F001}3556NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F4E237ADD1DB02E1CD2C5133EF3852,SHA256=BC7E4D9620F3441EF9A5EC7940A36060D2A375E108E0B87618DAD4CAB090B387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077285Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.044{2F630BB9-8EC1-611B-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{2F630BB9-D378-611B-C50D-00000000F001}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077284Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.044{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077283Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.044{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077282Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.044{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077281Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.044{2F630BB9-8EB3-611B-0C00-00000000F001}8527340C:\Windows\system32\svchost.exe{2F630BB9-8EC0-611B-2700-00000000F001}2968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077280Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.044{2F630BB9-8EB1-611B-0500-00000000F001}416532C:\Windows\system32\csrss.exe{2F630BB9-D378-611B-C50D-00000000F001}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000077279Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.044{2F630BB9-8EC0-611B-2C00-00000000F001}30363460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2F630BB9-D378-611B-C50D-00000000F001}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000077278Microsoft-Windows-Sysmon/Operationalwin-dc-86.attackrange.local-2021-08-17 15:19:20.044{2F630BB9-D378-611B-C50D-00000000F001}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2F630BB9-8EB1-611B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2F630BB9-8EC0-611B-2C00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service