23542300x8000000000000000142502Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:13.169{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83E52A2629E20BFBE4B40890D3C6CFC,SHA256=F05D8772BF40205ED99289AFC5800D63821DB7FCB36BF33265C70DE03D0BB001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179303Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:13.239{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CC9130A4232458C9C5BD4660A2CCCE,SHA256=AFB67742E8A1379CB4AD6B58E71CD52B5059E4A3D42240F76A42E747DB230A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142503Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:14.216{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3404F1A5CA90305EDE5418A5117274,SHA256=D525B71439E25C8155A771B0B04C3AF661A840F5A8CB54ECBE7A854D1D4D966B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179304Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:14.286{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D5F37C9741FA863C006DA2A162BB45,SHA256=6B714DA6C9C17CA9B35795213ECB55E09826D1D7A15B90D856CBB7A44F457959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179305Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:15.301{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A375A3BB8AE6BBAF94FC5750254D7682,SHA256=466BE4D96DE1337352AAFE291E4774405C0100C3249A876D896B126C11EB4E58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142505Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:14.189{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49941-false10.0.1.12-8000- 23542300x8000000000000000142504Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:15.263{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8E4D6897B457C409C7AA8C6B00AFF1,SHA256=6FFE0F89A339458ABBF8C2874E2599A5E2A1A97296F321D6C0021EEE70D4EE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179306Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:16.317{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6CA3713CEEBE90A61FB7F3A179C92C,SHA256=5E258BCD4949BA1D3A0DBF769D77BAEEEFCECD167385336222649FDDAB0A2905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142506Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:16.278{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFEBD04EB172158FC31710845D2B88D,SHA256=D60423110A239F6D43900A6555E877EF56970CFA8EE1B8A190BF50B5215DC9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179308Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:17.551{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67ACBE42C0215AF212EC75CAE6F2539,SHA256=5A3F4920D42683D8E3C67B62C73D25E307655B3C8F63668FFA22693819592FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142507Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:17.294{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4752CB6C5770C74FB402F17671141E1F,SHA256=6836AE4E61FEB2D2BDF610D94DDDAEC13EE49DE8D5ED44668CB3ACA896397B1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179307Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:14.262{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179309Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:18.645{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8124112EF6EB5BFBB914652247FAF810,SHA256=D1EE1066091F77B0868BA0C2052E1A2D3572852DDF2E4F2C2F5B2A2D0B8B2B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142508Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:18.356{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54FC552C9C13CDD3BB67A8D6079A270,SHA256=0F4248AE0879CAB2B7616E64C19C95E997F3FB40FCA020D207A81A1B0E39C802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179310Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:19.770{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FBE069BCCAD3F432C669F56E3F9711,SHA256=12CA3494FAB4F9AC8A275A63A81454A3F56FD51703E749A2872ECFF87BBA7A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142509Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:19.419{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FCCAA43F1E66F33749F2B355BD4380,SHA256=D462928A73EE0F89F41B5A2BA218D6A917D62F1BC27F8E778E12088B7F4A1B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179311Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:20.787{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09F591A99F4F2BD035915707F7DD005,SHA256=B5C657379F8A6F72D857832972833FAA7D89C3E197D0BF69105B1E0B72E2ECA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142510Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:20.466{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4347137185E0B04FC04B1A24CA412C2A,SHA256=64CB5D5B4B47DE3DF1E6F7C48037B4F6BAF054BBD19CBA72FFDF3CEE7E30032D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179312Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:21.819{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A056FBA69238BF9E98299AFDE07C93D,SHA256=80C662B02A2944DB2DFEA06DDB96995DFB2561B13420745479B50299D035D233,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142512Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:19.251{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49942-false10.0.1.12-8000- 23542300x8000000000000000142511Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:21.512{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1B3A416D6C0B3457DAB7B9DB18BA96,SHA256=CE572318CA35A562E16D2DB5384796B764FDF20EB80F9466EFA540FA9E08756E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179313Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:22.834{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6DDA12CC80087BFE9D0BE2B4A1E19A,SHA256=5E157E9E6F0203355128A4DD6E0027EE01BE8F532A5B475F304B2CB03ACD18AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142513Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:22.528{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC510424A2A430B3A3D991438A73169,SHA256=8A02DA7CDB0106AB15D19A2226E389539A37DC03125F6F51555B63FE36B6C837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179315Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:23.850{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2807919314DB7F273E2DE213BB374172,SHA256=97493310AB05DA6D3A600BF85BD32EEF3629D66CC61A22B1D0AAE09A0F789E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142514Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:23.575{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E6D984A20BBBBDB99F6B5EA822302C,SHA256=DE35A510CFDB4EDFAAF6870972757E279F3BB7CACB6069ECFE42A02668E9FF1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179314Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:20.216{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179317Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:24.866{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8612D7BCA3CCEB111E73AA2B3AC6AE,SHA256=8A8DB4A3ED4BD451CAFD63D9BEBC619E10336BCF2BCCBD9116F0E49635B682A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142515Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:24.637{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4B453117255823AED4DA1475F943E2,SHA256=FB06E5858E435CFF043B31ABB5A6DAB83DA1BBEAC94B888E90F26A1A814BBAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179316Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:24.038{5F1D3C56-34F6-60B7-1200-00000000C601}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7F6C1F70A64075BB843F82386A46312E,SHA256=BD9D55B049DDD8E838E586C248C6BE7D8DA3E734900B2DBC28D6CE4547ECF5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142516Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:25.637{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CA4B3464359CBBCE28CE052FB9162C,SHA256=6E8BEF875C0244D44A6FC8C1C7709AA5414DBBB1D2C33B1EC17A5A33C7889D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179318Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:25.897{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE68FEA27FBCEE1870144008C5A60B3,SHA256=B716EEAA6E863CC03ED8C35C7756A1BFBA552AFC4BE37797F1B657897DF9D02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179321Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:26.913{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DB15437B04E912F35341D840C35F98,SHA256=E72626C26948E8FAB797673751C28048D238005F504B128E4025D8941BB410FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142518Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:26.669{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A5E76789D5C766708C0E6A3762F464,SHA256=716D174948FA7E1F6E92E76554F8B61DB8D95361D19C3DA93685063CF9BC9F04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142517Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:25.173{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49943-false10.0.1.12-8000- 23542300x8000000000000000179320Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:26.131{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3C616062394D61D12061A1A69EE346A,SHA256=6CBE4F7EAD02A28DE0935CA7B2330CA35F460C4424A7A441BEC17F73AC136E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179319Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:26.131{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8215229452B7F81AAA67BC9AA98120EE,SHA256=393874125342E5B0DBFB56372B5F4337FC87CEC06095510ECE275CE981B8A935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179322Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:27.928{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEEBEF3868E8402C13BB31B12C3BBB9,SHA256=92DDA5C4DCB83FBCC057101C21A2825E90B10B120E5C68E40412A2F0337FD891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142519Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:27.700{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0062E464F41A024A094B532000D74E,SHA256=E7CF3308DDC73ACBE4EA8023370D06DFFF960098558760E04AA919BE751D8238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179324Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:28.929{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F050559C9C52808AAB2B961EB95CE6DC,SHA256=440E2BD2153F7D0DC435848B40681176A1B298859A5BF1F2DDB5E062556E5869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142520Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:28.716{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61039CBD9294CCCE7CACC9CDAFBD3FA6,SHA256=A6CE52D0EA859B60CAB8D48C6CDC941F7EE801C0B3BF70A73454EB9914A9A426,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179323Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:26.185{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000142521Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:29.747{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460B19C3429909C812401B0AD3AE4B4A,SHA256=C1E15F753E4AA446B38F2DB6DBE2153B1817F70F8A291E8D068E30EE8FD7A6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179325Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:29.944{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB3A56735BC60ADB3BD5E59DD24FFF2,SHA256=66EFAE04C13783CC406750C2009C8112FD637440EE3B9348CA839F9167256926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179326Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:30.960{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1357D584D5DC7E2287BF456930C9E5ED,SHA256=82C66D42475ABE000D8CAC944A64DA95241D49592770B37BE8629FD39F36AD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142522Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:30.762{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2398A6523A95BE6167161A832DC8C97,SHA256=19647C37A79BA500AC954D52F8CFC53789BEA2C80C93137665B307E0422E1816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179327Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:31.975{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278DA33C7B1C20DF0544569D52BB4576,SHA256=28132014381A39AD8CF02A4666A219AF69593014CFF9F6667ED0AA632D37DFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142523Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:31.778{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75AF15ED85ACDB87FA8AAB14DA5149C,SHA256=8C42FEF16E810EBEFB05BAD238A923A6FD311BD1CE028FD9D3176E4147D77A51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142525Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:31.157{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49944-false10.0.1.12-8000- 23542300x8000000000000000142524Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:32.794{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4B1A2DE5D4294C6C56B1B21CFB8F75,SHA256=DED5A4C46157FAD1E0700E595756B13D0AE6A6383DB05071E30FCA61D11C60B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179329Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:32.601{5F1D3C56-34F6-60B7-0D00-00000000C601}8885628C:\Windows\system32\svchost.exe{5F1D3C56-34F6-60B7-0F00-00000000C601}288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179328Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:32.601{5F1D3C56-34F6-60B7-0D00-00000000C601}8885628C:\Windows\system32\svchost.exe{5F1D3C56-34F6-60B7-1300-00000000C601}476C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000142526Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:33.809{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B1F7BA6D816DE5D34D541E095F9709,SHA256=8C65837A1D985A95E4954CE157FCE5C03E98F1D74B1E5C9DB3DA813DED8926B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179330Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:33.023{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6A23ECD15571F091CA4FB6BFDDEBA0,SHA256=FDF78EAC000873819D8BA15245F050FA3871E01874F6400E9E0EE391943DEFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142527Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:34.840{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1E768B39F8607E1C34DD9993541CF7,SHA256=073C3AC60DFCC2EE37F32E6750EADE47EFF3569B711528A691F4B3095A8D106D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179338Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:32.091{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000179337Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-SetValue2021-06-02 07:53:34.085{5F1D3C56-34F6-60B7-1400-00000000C601}1052C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000179336Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-SetValue2021-06-02 07:53:34.085{5F1D3C56-34F6-60B7-1400-00000000C601}1052C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000179335Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-SetValue2021-06-02 07:53:34.085{5F1D3C56-34F6-60B7-1400-00000000C601}1052C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000179334Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-SetValue2021-06-02 07:53:34.085{5F1D3C56-34F6-60B7-1400-00000000C601}1052C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d75784-0x631cdd19) 13241300x8000000000000000179333Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-SetValue2021-06-02 07:53:34.085{5F1D3C56-34F6-60B7-1400-00000000C601}1052C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000179332Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-SetValue2021-06-02 07:53:34.085{5F1D3C56-34F6-60B7-1400-00000000C601}1052C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x8000000000000000179331Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:34.069{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF124A0DBBAE14152CA89CAB3529F2B3,SHA256=5D87B5BBC12B7863C1E37013498D32075217CA9E9EDDA78769E01102C6E0963C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142528Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:35.856{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5017799A70401B525AA208519D329B3E,SHA256=A2B4DFBA4200BA9DF1848F0902A6527C03C0E33068CC48DA06769E6FA6E978F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179339Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:35.101{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF212ADD956C14DF61B0697E9E2F490,SHA256=70C0FE1D017736C717E9EE79FD9E8A86FCAA519251144D8166547978E9459BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142529Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:36.872{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9571ED581F691683D73E7922E897D9F1,SHA256=4F3B8183ED670812E2A4FA48ADCD50CDF297A5C1EE060AADEB9E166B84284621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179340Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:36.116{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DDD65E2732507CE18F0FBEC4B2B6A4,SHA256=DFC3B4EF10D6430BADCD9C26C3205A5B57D159857D998C2A5A7AE4B98EF82F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142533Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:37.887{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5348BDB80A9052B00E5E216CA0568091,SHA256=C6732679EE32C420B11ECF8948B5A04220DD2EB42EA7E147E511EB29C7993F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179341Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:37.148{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62048A39EC275A17A630A91F53BE64B7,SHA256=02FB4C46EBE50AB7BE7E3E396D29CD22B99F20A7E65E71936E3AB8A36CA99D66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142532Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:37.684{9747DA6D-34D2-60B7-0B00-00000000C701}6362036C:\Windows\system32\lsass.exe{9747DA6D-34D0-60B7-0100-00000000C701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000142531Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:37.684{9747DA6D-34D2-60B7-0B00-00000000C701}6362036C:\Windows\system32\lsass.exe{9747DA6D-34D3-60B7-1300-00000000C701}376C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142530Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:37.684{9747DA6D-34D2-60B7-0B00-00000000C701}6362036C:\Windows\system32\lsass.exe{9747DA6D-34D3-60B7-1300-00000000C701}376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000142535Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:38.919{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9123C39200C92F029EE85968F08A026B,SHA256=1154912292B7D224810507CC1DE404077EF9D2D24E9DC7463EBE148E0BECFB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142534Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:36.267{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49945-false10.0.1.12-8000- 23542300x8000000000000000179344Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:38.726{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E62148390B5C5096E3C5679626EB28FD,SHA256=6D5C940B6577CED71FAECC02E64EB1C51A0354614BD6FC0E7F266D3EFE9F8C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179343Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:38.726{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3C616062394D61D12061A1A69EE346A,SHA256=6CBE4F7EAD02A28DE0935CA7B2330CA35F460C4424A7A441BEC17F73AC136E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179342Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:38.148{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42BB9F0FF9024DC5263F5AFA52CFDE9,SHA256=238C1B7F6F890FF5D3687D040E4BC7999D472FB55E90D7779F0E53FEA2B5AC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142536Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:39.934{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB84B741AB13793064ED3E665724CC01,SHA256=DF4CD28214239FC7C3CD243F8592AB5465E57B9763DE9CAD255DFEE555A032B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179347Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:37.278{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000179346Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:36.755{5F1D3C56-34D8-60B7-0100-00000000C601}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-67249946-false10.0.1.14win-dc-410.attackrange.local445microsoft-ds 23542300x8000000000000000179345Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:39.163{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B71D92E6E472A771836DDD88B8DDD6,SHA256=776CF0CCFFC47BC0412E763BCBC0C10B17CB3BFB98CD2DABADF764FC89BE25D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142538Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:40.950{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3AF4776ABFA0011E1A12EC6F2743CD,SHA256=6110D8DD5F7975B4C073A595AE8D2E56136983308752F716423BB9EAEEAFF0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179348Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:40.226{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE12E56395AA43BA5EAAF7FB48AA46FC,SHA256=486BE0EA2B77FAAB5BBCC3D06E8CF21F3D4A0AC150B548A2D7DC4743409ABF44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142537Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:37.756{9747DA6D-34D0-60B7-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49946-false10.0.1.14-445microsoft-ds 23542300x8000000000000000142539Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:41.981{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C1064288676F4C9B16FAEDB9FC6A4B,SHA256=C79275B85BFED27BC65D147EDB9639D127FCE04969E002231DF34A7D446F5E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179350Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:41.231{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2700BCB4BA9CC48D9AE4BC4A3A8799,SHA256=9CC9B43BDE4DD5778972D003D72ECC38D7944D4B89E47CD0B80EB2174E445BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179349Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:41.027{5F1D3C56-34F6-60B7-0D00-00000000C601}8885628C:\Windows\system32\svchost.exe{5F1D3C56-3629-60B7-A900-00000000C601}4332C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179354Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:42.653{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-34F7-60B7-1600-00000000C601}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179353Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:42.653{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-34F7-60B7-1600-00000000C601}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179352Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:42.653{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-34F7-60B7-1600-00000000C601}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000179351Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:42.262{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BD29F83515C775FDF0C3B9BA2509E6,SHA256=F7020C6CFAA8C83C52BCFDD2CA916D5D8DB9FF1F2D590262D3DF6C8D8EF1FE7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142541Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:42.126{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49947-false10.0.1.12-8000- 23542300x8000000000000000142540Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:42.997{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E530C228C223FED563D91B7BB83D6B,SHA256=FFBD9AFA0B5B75A6E7180CE548703FFE9A8CF0C5F5BD5F1947C21F9380D698CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179355Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:43.278{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9FE3D59CC0B717D2084AF427F75FB7,SHA256=28C9E3F4DDE7080DB9A152DA46A0D45C62681382586F99A1EFBBD3C641A8A3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179358Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:44.356{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BC3AD2AB1871EFB4FFFE86BCFB349EC,SHA256=DE4644C0D8E759C46D02BD38DC2791C7ACE9A7C070A556DBA4B2DBB93DEE90D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179357Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:44.356{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E62148390B5C5096E3C5679626EB28FD,SHA256=6D5C940B6577CED71FAECC02E64EB1C51A0354614BD6FC0E7F266D3EFE9F8C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179356Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:44.325{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F024601050ABE296D3BC17CEFF96940D,SHA256=85A4AA4D90BA5882A10B286F4CEB1A4FA0238CBC1B8EB885ADD0980458F15511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142542Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:44.012{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99287BC2E0FCB732D67C688CC3073FC6,SHA256=71B45FE878AD5A47BC42D108C1EC69B13D0E3F6FF7293C4372732FCBF5D3DE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179359Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:45.356{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C66773715FEDD20C51BBE8D03658D6,SHA256=C240BF54E22799B3509077F2E348D55C6D59CBE13BDB567C2E6571D6C2D0A4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142544Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:45.747{9747DA6D-34D3-60B7-1D00-00000000C701}880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=194A7A491F9AE18BFD91232C3DBF389A,SHA256=821528D0984405BC323B788333E8253B5DB6CE1350C79F9D6B19C88BEDD236FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142543Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:45.012{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45C556839BCFFBC0B98CF48BDD4918D,SHA256=E1B1CD538FCA9106C5539AFF2D3278CEF366A30F81FC6B67F843FD121BFCD236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179361Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:46.387{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB787636B6CB3D7D2EF1E6BEA78708C,SHA256=7304D3E6D9B87E22462587EA3AA9E1872A37A06751CF4F18A8EE9F5332748DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142545Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:46.075{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F232892566A00756A0ECE4BEED66FB3,SHA256=8186107624388DE1DB060825E3E6B168EBE47E0C4284F00B95C2CD5E1A2EE6D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179360Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:43.173{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000142548Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:45.798{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49948-false10.0.1.12-8089- 23542300x8000000000000000142547Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:47.215{9747DA6D-34D3-60B7-1100-00000000C701}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1254B55B78FF378089A7F95C49E71510,SHA256=30C50C615C413FCA642DC22B470BAD98AB3DC55F13F256079EDB7D3F63566F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142546Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:47.090{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB42366A75CE8AA680887703B689088C,SHA256=08638F1A2292DC9D24C5982D3B5514894C0D2EFD96EDF83B4EDB2BDD3908C35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179362Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:47.403{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C1D1BD93265600B96ED90D4E6E91F3,SHA256=A990781E53964D8EA6F10C22BDD217562DC38880946439E6303F8775E67F99F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179363Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:48.434{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED7667C820F5925406B2C0DA48E12E4,SHA256=DB1DE3F0460EFB25FEB38C65266E36DA854861925889737CC8E85AEBEF9E7FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142550Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:47.251{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49949-false10.0.1.12-8000- 23542300x8000000000000000142549Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:48.106{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48137B33F7412432CD141034395BFB89,SHA256=7567A7EC33451A9CA1DBF79B632EC2BBAC6B2A820A9E3ECC14400819C9CA6861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179364Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:49.450{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110104D93FCE58CA2B5B1215A6599DB0,SHA256=EEFE5F57EDCF1CC90326A8ABD47423C5976824BB3709C47952684B6CBC555EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142551Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:49.137{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015C794491F132F03D4E21FBEADBDB30,SHA256=7EFBD551080C79CBA3D7EC8E17B1FAEA008C2268C45F1330F7E1CA074A7ECE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179367Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:50.465{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A874393F4F6F241B77978B9805277320,SHA256=5A498B11491616EC7CA99E9545FB233C0C96FB55A0A5ED47AB55FD1066471F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142552Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:50.200{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE8DB104CEFAE0EB5A8D4DC38079EC7,SHA256=A678B3FCD9BA741DC65C799E10459CD53AE3FB79A76FE4771817F6F4BEF6C128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179366Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:50.090{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=162C0C9DD11446C896CD0471CFF1E445,SHA256=8ADDD51753CC55E54BB218ED6214FCC3A72C353CB1AC4B2CCC840808F9137526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179365Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:50.090{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BC3AD2AB1871EFB4FFFE86BCFB349EC,SHA256=DE4644C0D8E759C46D02BD38DC2791C7ACE9A7C070A556DBA4B2DBB93DEE90D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179370Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:51.606{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE850F7A58A5113A22672B8E127DCEF,SHA256=4785B7768534354B5766139D0BE87808C575B4B31DE3E5923603F49687070BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142553Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:51.246{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373EDB5373E642CBF6B6C590127C750C,SHA256=3561222C1EE8B73A90AFCB9AE6C78716D584A82CD447F9A2E9BC2C6104A7B401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179369Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:51.247{5F1D3C56-3507-60B7-2C00-00000000C601}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=194A7A491F9AE18BFD91232C3DBF389A,SHA256=821528D0984405BC323B788333E8253B5DB6CE1350C79F9D6B19C88BEDD236FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179368Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:48.220{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58519-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179371Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:52.637{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6290E82BB4E28F027655FCBB19E8087,SHA256=CFBC988489F5AA039335F7A4B3A643BBD08FEF283AE1F42CC5AE0445A78E79B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142554Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:52.293{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03893A1DE7D6F12CF9424C0163FF5779,SHA256=A5C8A3E7614685AEECA390086EA813974679D742C6F9C86E60F7450DA6FCFEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142555Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:53.340{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830EA589205E8A1540F9A62D54175E2C,SHA256=BCD0C8AEC97CC76300B4A6D1F27B9FF1A1BC9B15716DF9A7E58BEC53F1C27F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179381Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.669{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33F95AD98AFA1B5FD401439A6922C0C,SHA256=6DE68A44750522873B1219A5D26C99112BBD730E806EA9CAAFF7DC6F57817861,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179380Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.200{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3911-60B7-4E01-00000000C601}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179379Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.200{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179378Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.200{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179377Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.200{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179376Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.200{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179375Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.200{5F1D3C56-34F4-60B7-0500-00000000C601}4084620C:\Windows\system32\csrss.exe{5F1D3C56-3911-60B7-4E01-00000000C601}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179374Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.200{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3911-60B7-4E01-00000000C601}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179373Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:53.201{5F1D3C56-3911-60B7-4E01-00000000C601}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000179372Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:50.285{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58520-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000179392Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.684{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32486FBAADEBBAC0CBC4317A941DA337,SHA256=9422A8C05A6319CFF72856AF8FA93DAA87D51DA50CA0AE755E2C628A35228CE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142557Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:53.157{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49950-false10.0.1.12-8000- 23542300x8000000000000000142556Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:54.387{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD277C517C4DF1180D0720BAA8FE91ED,SHA256=3C7ABB89DC6E1A45135C7D8A13EE8E1489AA197AB31D6E20E66D832C2A92F28B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179391Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.294{5F1D3C56-3912-60B7-4F01-00000000C601}55723400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000179390Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.216{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=162C0C9DD11446C896CD0471CFF1E445,SHA256=8ADDD51753CC55E54BB218ED6214FCC3A72C353CB1AC4B2CCC840808F9137526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179389Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.012{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3912-60B7-4F01-00000000C601}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179388Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.012{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179387Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.012{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179386Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.012{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179385Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.012{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179384Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.012{5F1D3C56-34F4-60B7-0500-00000000C601}408524C:\Windows\system32\csrss.exe{5F1D3C56-3912-60B7-4F01-00000000C601}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179383Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.012{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3912-60B7-4F01-00000000C601}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179382Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.014{5F1D3C56-3912-60B7-4F01-00000000C601}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179403Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.731{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDC249A3EAA8283EDCF42A95A340367,SHA256=9EFF18B81CBE77F64D42FA2F0C2F8D2D204EEF2DE1155FD8FA3BDC6B56A61B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142558Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:55.403{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C648E9122944769BF0D7D86B2EFC9D,SHA256=7035E58AF77B7BB84F5BB4245E15048FDBC16428990284EA10F187725EBDFE3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179402Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:52.627{5F1D3C56-34F4-60B7-0B00-00000000C601}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-410.attackrange.local58521-true0:0:0:0:0:0:0:1win-dc-410.attackrange.local389ldap 354300x8000000000000000179401Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:52.627{5F1D3C56-3507-60B7-2D00-00000000C601}2496C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-410.attackrange.local58521-true0:0:0:0:0:0:0:1win-dc-410.attackrange.local389ldap 10341000x8000000000000000179400Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.028{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3913-60B7-5001-00000000C601}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179399Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.028{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179398Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.028{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179397Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.028{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179396Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.028{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179395Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.028{5F1D3C56-34F4-60B7-0500-00000000C601}4084620C:\Windows\system32\csrss.exe{5F1D3C56-3913-60B7-5001-00000000C601}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179394Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.028{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3913-60B7-5001-00000000C601}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179393Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:55.029{5F1D3C56-3913-60B7-5001-00000000C601}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179414Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.794{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4535A319E0639EA0FADF65B3F7CCD355,SHA256=1A483EFAE1C4F2F466F872CD37AC2BCA941C7B65696369E0760F6548D3718D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142559Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:56.450{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72763757BA048CAD735FA1212418604B,SHA256=4937A9914A4B47EA9A14EFD6CC7EF0312ED7AA807CCBC040A582760F62F1353F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179413Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.747{5F1D3C56-3914-60B7-5101-00000000C601}53322052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179412Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.575{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3914-60B7-5101-00000000C601}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179411Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.575{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179410Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.575{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179409Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.575{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179408Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.575{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179407Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.575{5F1D3C56-34F4-60B7-0500-00000000C601}4081252C:\Windows\system32\csrss.exe{5F1D3C56-3914-60B7-5101-00000000C601}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179406Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.575{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3914-60B7-5101-00000000C601}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179405Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.576{5F1D3C56-3914-60B7-5101-00000000C601}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179404Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:56.044{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2BADB5890B9C37284147962CCE4546,SHA256=436E2B51C59CA126DBA4CBC0A3362926D73913F52C1C82BF2FEACE918EC5DB35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179426Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.920{5F1D3C56-3915-60B7-5201-00000000C601}8842056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000179425Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.795{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677F251F828F27EA074EB83F32C9BA27,SHA256=E2C2EF606F92AEFDA61DF469E4F291530D22D2AA31F2D26989F83ABF2DA5D83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142561Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:57.481{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6594D895BA068AC7E9FC035B8159A6,SHA256=CAB77F43C04E9F1D9BC032BCF91E6E340149E0493D1C52E3C29BAA64E4398C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179424Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.701{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3915-60B7-5201-00000000C601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179423Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.701{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179422Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.701{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179421Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.701{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179420Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.701{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179419Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.701{5F1D3C56-34F4-60B7-0500-00000000C601}408524C:\Windows\system32\csrss.exe{5F1D3C56-3915-60B7-5201-00000000C601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179418Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.701{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3915-60B7-5201-00000000C601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179417Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.702{5F1D3C56-3915-60B7-5201-00000000C601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179416Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:57.576{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E8ECB8165187B7F3FAD5BFA919C0AB4,SHA256=7BFA9C15D1735DFC827DD10172A46A7C77B958E9F5F16D0124F9B3482E33E2D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179415Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:54.237{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58522-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000142560Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-SetValue2021-06-02 07:53:57.387{9747DA6D-34D3-60B7-1000-00000000C701}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d75784-0x71007f5a) 23542300x8000000000000000179437Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.839{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D0B58557E1E112C1109AB87C159274,SHA256=3A622637E137B52687081D0EAE7D560BDB93178D7C6E193EF8483EA02A770BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142562Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:58.481{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E550B1A1FFC82FD978A45C994D0FEE,SHA256=39F05E47365A289AAA23154D43C8071110434C7D2B85D9D256AE02BE986AEB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179436Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.714{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ECE1E7950A42E0988A7577A5D89D7AB,SHA256=399D25AE58F6863FB1FABA30A3E2FD7F9E6F8D2726302C4C124421AF31B901CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179435Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.433{5F1D3C56-3916-60B7-5301-00000000C601}52525216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179434Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.201{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3916-60B7-5301-00000000C601}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179433Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.201{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179432Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.201{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179431Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.201{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179430Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.201{5F1D3C56-34F6-60B7-0C00-00000000C601}828868C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179429Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.201{5F1D3C56-34F4-60B7-0500-00000000C601}408424C:\Windows\system32\csrss.exe{5F1D3C56-3916-60B7-5301-00000000C601}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179428Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.201{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3916-60B7-5301-00000000C601}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179427Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:58.202{5F1D3C56-3916-60B7-5301-00000000C601}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179446Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3917-60B7-5401-00000000C601}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000179445Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBF471A48451D0ADA3819306F01BE62,SHA256=097030F88671585CB94359AF704AD83A6DE382176BE3A2CF4C772FC9774504CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179444Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179443Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179442Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179441Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179440Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-34F4-60B7-0500-00000000C601}408524C:\Windows\system32\csrss.exe{5F1D3C56-3917-60B7-5401-00000000C601}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179439Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3917-60B7-5401-00000000C601}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179438Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:53:59.876{5F1D3C56-3917-60B7-5401-00000000C601}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000142576Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-3917-60B7-0C01-00000000C701}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142575Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142574Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142573Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142572Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142571Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142570Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142569Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142568Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142567Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142566Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D2-60B7-0500-00000000C701}420536C:\Windows\system32\csrss.exe{9747DA6D-3917-60B7-0C01-00000000C701}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142565Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.746{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-3917-60B7-0C01-00000000C701}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142564Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.747{9747DA6D-3917-60B7-0C01-00000000C701}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000142563Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.512{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CA4B72AAB2A8702790CD25AE52C786,SHA256=744D85B96A24764E5E3C72CEC8C43FF638490E92DF16B3FEF355FE0C36C497F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179448Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:00.898{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C198D5BA4B777860102ED602594B0ED3,SHA256=ADA95175E84F0075617E99A92225B977D7AEE53A2A0251F356B44F1BE8FC5D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179447Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:00.898{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F204C0739A6077FC1FE56397371E44,SHA256=99F80EE2310CCF1702C4585E7A95DDBAD971741DC0851B805E1B6BE6879CCECB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142594Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:53:59.142{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49951-false10.0.1.12-8000- 10341000x8000000000000000142593Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.871{9747DA6D-3918-60B7-0D01-00000000C701}27322308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000142592Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.809{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE31D28976F337CECA0290ECA0A85F35,SHA256=609B0499CA518AE8EA9011ED0768E7A80FF674ABC9C0206F0A5A0BDB8D52C54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142591Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.809{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3114F350D6A07461C06A281FDC6CF2D1,SHA256=4D1A42033E8299CD9C3F588D90353BD632C5646EF4D9E74D053BCAE1C3B913BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142590Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-3918-60B7-0D01-00000000C701}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142589Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142588Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142587Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142586Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142585Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142584Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142583Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142582Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142581Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142580Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D2-60B7-0500-00000000C701}420436C:\Windows\system32\csrss.exe{9747DA6D-3918-60B7-0D01-00000000C701}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142579Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.637{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-3918-60B7-0D01-00000000C701}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142578Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.638{9747DA6D-3918-60B7-0D01-00000000C701}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000142577Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:00.528{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6393B8765A5425D2C77DB5AFF512BD2C,SHA256=6EEB56C31555E7FD9F0CDBDD912CFC5CEEE2609DCA3105997161DF9201EE7A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142608Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.981{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1638F65AC31E7D67B7A71FA08C4A595B,SHA256=C25058907796E4F7EDE26AC375E89D15340EA83E0C442D4A695E106D7DE2A30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179453Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:01.915{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC4CED6BCC568FB21AA39198DEFC86E,SHA256=074AB2951902A9109F9CF80E2F73172863C3A0ACBD85D518A98709BAACC2E020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179452Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:01.102{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2A00-00000000C601}2192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179451Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:01.102{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2A00-00000000C601}2192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179450Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:01.086{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2A00-00000000C601}2192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179449Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:01.086{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2A00-00000000C601}2192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142607Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-3919-60B7-0E01-00000000C701}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142606Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142605Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142604Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142603Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142602Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142601Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142600Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142599Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142598Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142597Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D2-60B7-0500-00000000C701}420436C:\Windows\system32\csrss.exe{9747DA6D-3919-60B7-0E01-00000000C701}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142596Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.309{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-3919-60B7-0E01-00000000C701}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142595Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:01.310{9747DA6D-3919-60B7-0E01-00000000C701}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179455Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:02.930{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2C143B2B927C218C696FF951070D79,SHA256=F2F743D0CCAE3119A20D395E591E0615FF5240877AA0A51FC5C18C0934CB20BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142609Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:02.434{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE31D28976F337CECA0290ECA0A85F35,SHA256=609B0499CA518AE8EA9011ED0768E7A80FF674ABC9C0206F0A5A0BDB8D52C54F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179454Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:00.091{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179479Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.945{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388E0B1710E3D765039C11194D25DE5D,SHA256=4E4404A806A5C524F751C055A0FD85A45D65D8B63C2FAAAF28504D033FA83AEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142624Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.840{9747DA6D-391B-60B7-0F01-00000000C701}30761660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142623Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-391B-60B7-0F01-00000000C701}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142622Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142621Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142620Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142619Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142618Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142617Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142616Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142615Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142614Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142613Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D2-60B7-0500-00000000C701}420536C:\Windows\system32\csrss.exe{9747DA6D-391B-60B7-0F01-00000000C701}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142612Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.559{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-391B-60B7-0F01-00000000C701}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142611Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:03.560{9747DA6D-391B-60B7-0F01-00000000C701}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000142610Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:02.996{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47ACF9FF079754475AF543D1C2DDC943,SHA256=9AA92E209600F38B61F59AC42C6A5DC443C214C58C303137C158A8A71ED6E138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179478Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.430{5F1D3C56-3629-60B7-AA00-00000000C601}43924572C:\Windows\system32\taskhostw.exe{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179477Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.352{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179476Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.352{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179475Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.352{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179474Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.336{5F1D3C56-362A-60B7-AF00-00000000C601}47685040C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179473Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.336{5F1D3C56-362A-60B7-AF00-00000000C601}47685040C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179472Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.336{5F1D3C56-362A-60B7-AF00-00000000C601}47685040C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179471Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.336{5F1D3C56-362A-60B7-AF00-00000000C601}47685040C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179470Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.305{5F1D3C56-3629-60B7-AA00-00000000C601}43924572C:\Windows\system32\taskhostw.exe{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179469Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.305{5F1D3C56-3629-60B7-AA00-00000000C601}43924572C:\Windows\system32\taskhostw.exe{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179468Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.289{5F1D3C56-362A-60B7-AF00-00000000C601}47684936C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179467Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.289{5F1D3C56-362A-60B7-AF00-00000000C601}47684936C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179466Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.289{5F1D3C56-362A-60B7-AF00-00000000C601}47684936C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179465Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.289{5F1D3C56-362A-60B7-AF00-00000000C601}47684936C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179464Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.227{5F1D3C56-34F6-60B7-0F00-00000000C601}2881584C:\Windows\system32\svchost.exe{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179463Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.227{5F1D3C56-34F6-60B7-0F00-00000000C601}2881340C:\Windows\system32\svchost.exe{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179462Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.211{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179461Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.211{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179460Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.211{5F1D3C56-3626-60B7-A000-00000000C601}37643208C:\Windows\system32\csrss.exe{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179459Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.211{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179458Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.211{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179457Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.211{5F1D3C56-362A-60B7-AF00-00000000C601}47685992C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+d0c97|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+16ec6c|C:\Windows\System32\SHELL32.dll+19e878|C:\Windows\System32\SHELL32.dll+284653|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16efb0|C:\Windows\System32\SHELL32.dll+16c38e|C:\Windows\System32\SHELL32.dll+c40f1|C:\Windows\System32\SHELL32.dll+c6fd6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x8000000000000000179456Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:03.216{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\test\" -an -ai#7zMap30208:124:7zEvent29430C:\Windows\system32\ATTACKRANGE\Administrator{5F1D3C56-3628-60B7-E8A0-090000000000}0x9a0e82HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{5F1D3C56-362A-60B7-AF00-00000000C601}4768C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000179481Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:04.961{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CAABC4246BBFFE75F1D7F7D522E137,SHA256=83AA1A001047BE520FFEB8575262CFCC31767A45FF73E3E3C2583BED61590A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179480Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:04.242{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D0B4E41F5015345EB5B8BCBFD91C24,SHA256=64F0D998D15633E9ABCE6242D51778C3BFD29E6F3871B02C9A5DD03053F358A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142640Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.590{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB1ABF95E30275C347D6E1236846C301,SHA256=51BC532D23AAF48C532A3D9E1C62A5C13F1F0D227681EC69AD44FF9C44E35271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142639Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.574{9747DA6D-391C-60B7-1001-00000000C701}24083340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142638Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-391C-60B7-1001-00000000C701}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142637Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142636Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142635Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142634Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142633Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142632Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142631Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142630Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142629Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142628Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D2-60B7-0500-00000000C701}420436C:\Windows\system32\csrss.exe{9747DA6D-391C-60B7-1001-00000000C701}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142627Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.371{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-391C-60B7-1001-00000000C701}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142626Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.373{9747DA6D-391C-60B7-1001-00000000C701}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000142625Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.012{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09D0F54035A3B75EAEE9725906D3861,SHA256=03150B1E1E3B970ACFC55F8B3492EFF96178366A9D5874F4547CB1FA45C78A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179485Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:05.977{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C32C0D35EF95D30C3414A73E5C9D2E,SHA256=EA9C99556CE2025453E5CAACE4AC6A6EDCB429B0FDE1BD7BF49A8778A65F6624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142655Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.215{9747DA6D-391D-60B7-1101-00000000C701}30363172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000142654Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.090{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D5921824E4B37ACB682EF7CA5023F4,SHA256=0B6A0F88E0879DB4299638D864DC85FBEDE90D73721E5C1C5BCF2FF0C3367A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179484Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:05.867{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179483Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:05.867{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179482Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:05.867{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-391B-60B7-5501-00000000C601}5836C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142653Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-391D-60B7-1101-00000000C701}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142652Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142651Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142650Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142649Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142648Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142647Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142646Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142645Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142644Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142643Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D2-60B7-0500-00000000C701}420436C:\Windows\system32\csrss.exe{9747DA6D-391D-60B7-1101-00000000C701}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142642Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.043{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-391D-60B7-1101-00000000C701}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142641Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:05.044{9747DA6D-391D-60B7-1101-00000000C701}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179486Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:06.992{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500462D23ABE9092D6A00FB6F21063A8,SHA256=5BBEC9E07796D0956247E010282AC1E35B6F6BC2C959427517A198BB4ECF978E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142671Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-391E-60B7-1201-00000000C701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142670Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142669Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142668Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142667Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142666Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142665Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142664Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142663Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142662Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142661Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D2-60B7-0500-00000000C701}4203668C:\Windows\system32\csrss.exe{9747DA6D-391E-60B7-1201-00000000C701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142660Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.232{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-391E-60B7-1201-00000000C701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142659Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.233{9747DA6D-391E-60B7-1201-00000000C701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000142658Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.107{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5C7BFC9DCB2C8FF9A051F3FAF6D9C0,SHA256=B9D3506A78539B62729BFD864ABF1653189C436FDD783BCB6B0F2416E63D98AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142657Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:04.329{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49952-false10.0.1.12-8000- 23542300x8000000000000000142656Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:06.076{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B923663DB96B9A5644D514D4D78FF01,SHA256=354E629FA3B3D9650A3421C17CC2ED53D2AC43CB4D3897C9B562D09F42B975A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142673Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:07.386{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2787CE5F953D1F373AD4E421B36770D5,SHA256=845237E9EA1A8C9BCD630538C5ECF24B71FDEDF05D40DCD8D16C9F18E0BBB7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142672Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:07.120{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E984BB8A0E5BBFCC525B1C6173D69DEE,SHA256=A1B2CEB744834F8CEE1F09496BFB3E9B7940C9CE6A71703D9B6664ACAD33D501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179487Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:05.090{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000142674Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:08.127{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63981E4DD817B2B2E8BC87A2CE0317F5,SHA256=799CCEF6F27BCAE5392D911AB469752D4B0566EE952E26B6D920D42BA11C61CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179488Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:08.008{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F3081F88C27835A26466A572924194,SHA256=D4D273DFAD391298168967B5CBB17362FD1F20BA49FF14BD2BDF10C9AFDFC522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142675Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:09.142{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61B92AAF9BC9AD3070587DC29C24FEC,SHA256=FF56FD91ED9A7E9E02500B602DAE10BD6555F3334338FE55750EEB4E3228DCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179489Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:09.024{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322512B2982FBB30E20F9FC813DD93E9,SHA256=1E06B3AF2EABCB10EE11B7D2FC9DAFEF7B9560AD5CB155777EC00829A5F69B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142676Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:10.173{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61CA611D528978CEEAC74653F4FCDFA,SHA256=F044AFEEDB213A6C5C76B2DCB6A61DB5792CAF166FB425BF3F2C1EB610BB76B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179490Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:10.039{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4A461E1A7EAE64E91A81756B02DF69,SHA256=8D1433D9848A95DA442E8B92A3F7FD29253E20E4DF1C48C5AAF3C0B8CADF905B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142677Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:11.205{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346A38289C7AA0E0D40616F1DB1BCFD5,SHA256=418FDB7229EF9FC654DEC009F7A44710FC885C06A5987114BDE893C3496D7E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179491Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:11.086{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CAB03B503A161FF85FC9DA5BC73A55,SHA256=9C2EDB611EB5913A4C8A741DE1871BC6C280C5E378913A49D7A5D445EB8CB10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142679Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:12.252{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DFE021C54871C1B7FA4146E4D161F9,SHA256=5F9DD4D65471ADE1559716249B93401FC023971ADEA5C53F4E9A709465793C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179493Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:10.137{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58525-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179492Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:12.102{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10E4AC8F806B4CD1B188C1698396D30,SHA256=826C1BD939A1F57275BF698CFA1B82D70FFBD2287446AC3EEAD6869952AEBE2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142678Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:10.116{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49953-false10.0.1.12-8000- 23542300x8000000000000000179494Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:13.102{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797707BB22DB7A3EF587DF8C43966981,SHA256=421535B90560E8E426E3DAE2CEBF5F375B86623DA7488B8DC09D635DD5989377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142680Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:13.283{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8850B0EE5D34D6D86096B509BD8007E2,SHA256=2FD6BD9A460C7010C9C759526F05D32C22462A8F1D164410062E519736FF5F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142681Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:14.283{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6242D13DC96A3CF52FD9F5DB93E1B161,SHA256=BB113B4ACC204565C9C5C4C02F44CC041B65096816C1B2E9BD04FB2E65AD13AC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000179496Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-SetValue2021-06-02 07:54:14.618{5F1D3C56-34F6-60B7-1300-00000000C601}476C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d75784-0x7b45b256) 23542300x8000000000000000179495Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:14.133{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B48B9EE3072E18AD359A718F15C740,SHA256=0AF29E2A0FC670635CD07F3A441BADF71D375EC3F7A13BC2C1F1CB839CD3BEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142682Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:15.298{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1050FF4B3B1E61350981525ED8B585,SHA256=970CA54BE14407CBB1C6DE6AED8589B3DC6212BFB708E577F2625DF9576E9F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179499Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:15.774{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C36A7CD5486C2BBD16D65256A762EF8B,SHA256=C0066BD0D175E2D1FC547C3CC4789C99764B0F84AD1A66DD50C8D7BA5C6EF284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179498Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:15.774{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D7BD7CA2D31BCF23C51EB986623878,SHA256=9D245610A4179CFA3000D1C45550E713D1453A9AEF0F1D86696B6D1594C69BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179497Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:15.165{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB01CE9C14282667B0CF736B1A010394,SHA256=86A3AF06E5B83C9876F8EDA5527AB3488627501EAC190E5DFFF84FD56281F294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142686Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:16.486{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C63F23F025769722D76E3420F6175E,SHA256=6C3E5527446B193D3CD276C8614946C2F62B5C60C51ACA16BBFAE1A74492EC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142685Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:16.486{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13204C36730BD6D7062E04562A81050D,SHA256=7CA1DDBBD12538D07D3EC72BD9F5EBFD37FC1AB49AD6FB3A4B66A884808E4132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142684Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:16.314{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901C9A80A072E33CD0C3858DE747A9FF,SHA256=2DDA9FC84908F4FFD0040E3BB61BF62F06DA77A8A0E655D0C6AAB3A819653A10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179501Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:12.873{5F1D3C56-34F6-60B7-1000-00000000C601}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.191.34.156-17737-false10.0.1.14win-dc-410.attackrange.local3389ms-wbt-server 23542300x8000000000000000179500Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:16.212{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7500DC9CAA3D571ABAB575172F1E3AA0,SHA256=33728806874FC2F7DF586F8F7C705E2CC4E38AE4D1D8C78B6DEE6E5473731C9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142683Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:15.193{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49954-false10.0.1.12-8000- 23542300x8000000000000000179502Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:17.258{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BE2948654900C871965BF357C44F27,SHA256=E0218B9840F4820488011DFF5F930ACDF443086592E71FD1ADAA539CC00B19F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142688Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:15.375{9747DA6D-34D3-60B7-0F00-00000000C701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.191.34.156-23936-false10.0.1.15win-host-672.attackrange.local3389ms-wbt-server 23542300x8000000000000000142687Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:17.330{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBF1CF8A5935CCA164C74AE6AEC3B16,SHA256=FAC6737D1D0585C81B60D1853DD2A9F8B99A0F5E8287A5EE501569A18F2FF396,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179504Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:16.137{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179503Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:18.305{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6AA5D6DD0783CD2E39AE583FA17683,SHA256=5281186730BFE387EDE1A778DCEBB859C8D6F8CCC0416F73C13F505D44838A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142689Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:18.345{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270F1EC5F13CD91F7AD6CD5011D296D1,SHA256=1E7D8B18D8BFD79293842F3A441222EC075BD7E12E9E246FBC6F4B5D234720AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179505Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:19.321{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4956282EA23245883E32354C10839521,SHA256=7071144AD2E908E62F9EDEBC652F1E79F187F2C2772393ECD61254374C00D874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142690Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:19.376{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F875EA411D188DAE231811FF4F1663,SHA256=F8673340816DDCADB04662D5480E12C8B95E7E480362698976555729850CC71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142691Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:20.408{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490C5FFD6408516F0D9481507DC93EF8,SHA256=A15193EE1679F8BA29ED1E5C0E616100A393ADE760A3EE9DD2549E89FB5A76B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179506Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:20.384{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8675B4C30B8C0182CBAB4CFC9248EB8B,SHA256=ECDB163384FC65A81C436D33C756D90E3B54D9C425C201B6B2F031433211F2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142692Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:21.423{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8613BD7FA86FF4F0C33CB81340B19A6,SHA256=69E5B0955D7C4F930E6FACCB62C9215136CA4C57269A92A1683F844672564D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179507Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:21.414{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5BC4D60CE18E44EFDC9188DE93BD6B,SHA256=98F51ACEC29FC47E968453EB367B371465A3D43CBF9DC714030F5EF8CF7BA235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179508Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:22.508{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB87957DE1C8A7A1D332024246FEBAE,SHA256=F50DEFAD47BB6B52215B82193DEE5DCCB9282BCCD03AB29CD3942833E87012D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142694Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:21.146{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49955-false10.0.1.12-8000- 23542300x8000000000000000142693Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:22.470{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E5EE3FBA3370677832CD7F35E309C9,SHA256=AE69DE378AD82F76CFA152363584563A1B1664F7F27223BC706D72134604D71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179509Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:23.524{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F2CE7D0A9C8E5566A28E4C9F0C0AC2,SHA256=F64B4EC557086138AEED7D2E542CFC4F0D334EDF27790FE974A1CFC375B85099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142695Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:23.486{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D249E8E298A764B9B7259FD3B0AC3B30,SHA256=E2B15647768895C1A96CA35E21924F1F28D5C12702A05C4448ACC81DAC520CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179512Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:22.152{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58527-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179511Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:24.555{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86EEB5B4BDCE95B0915D4A880F87F50,SHA256=BEBD76B44B0EF5F73AC702DDA997572FCC757045045C0E89B4CA1A2FCD7B49ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142696Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:24.517{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078FB6EB7F46C538E7154326CD0DDDC1,SHA256=A97F85551C6AD3688756F37DBBD4EF43CC418D1D513038329661839A57D85B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179510Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:24.055{5F1D3C56-34F6-60B7-1200-00000000C601}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6CCDDFC4B3C2E455BD1182EA79EBDD5D,SHA256=8415ABE8C04B2073A2A01E47FB989B618E2C11AC8868AC359D098843CD41272B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179513Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:25.571{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C98D0EFD1BB05D6386CFBDC4C2626A,SHA256=0CB01F59B8886E3FB38BDA306271D6A93C93FAC4EA28840929347491A1684740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142697Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:25.548{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4287CAD0299DCFFFFDA01547DD202A09,SHA256=1BD18974C618061833B93A72B0D11C6FE87A2600375CF85D15B1009CD77E7316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142698Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:26.595{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087D30588A99CDB5903A40AB0CC43DA3,SHA256=4022026B6A4BCBE8F0CC662EBDC64290C39D7F69CD45EB16AFB677C10A01AC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179514Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:26.633{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5221F0E883340C47AF8B1DBA9C19700,SHA256=6432E0CB55B95862DA3AB8A11B24265BEA72E16B5C7C50CD82B7E18580AC9F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179515Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:27.680{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD970ECEF9C4F59B97C6D99A275832FC,SHA256=0C52EB71C229ECF5A3EB03303F04DF25FD7492C2F120DDE12FDE80DED672E6F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142700Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:26.318{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49956-false10.0.1.12-8000- 23542300x8000000000000000142699Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:27.611{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E343E2AA0F665A8EC3A0C763C5DD6B14,SHA256=920C0554A43FAAC9214457275562426DAE7F30CE34154BA4A5A6E5491F6EE9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179516Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:28.696{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8118E70DDFC753DC17333DF9B063842,SHA256=947FCFC1C540348934F8345798E2E4694ADFEBE5D364B66C4DA2CB852B566B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142701Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:28.642{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4237B7AA1BE7DBC9B44DC6F14CAD356F,SHA256=CD9E2096FFEEB40DF0D87503CBF7522F49C611198436638D9C2BB276CC989F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179517Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:29.696{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CBD43B4958382F151E8976B8D16425,SHA256=A580D83D19029880B3E359C6A950A97A10BBCD95E443192B3DF268C23A7457B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142702Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:29.689{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31E86DE04DE3D92BFDCA1CC33DF3455,SHA256=02A461819590D5BFED348A979F396D2E6FA5189E75595633517C0B8A73C5A1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142703Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:30.720{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E448748371B555AEB6F24E53971B9D,SHA256=FA2DF121CCA010DDB22868A61669C96DC9249072016ED171055E51345893755C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179523Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:30.712{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A422F14050CC9AB72DEBF2F7C81DC5E6,SHA256=D7AC5941CFCF2919BF03FBE07C26FBFF229F94759DB298CDEA6D6DCF97853B01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179522Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:30.118{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2A00-00000000C601}2192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179521Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:30.118{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2A00-00000000C601}2192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179520Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:30.118{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2A00-00000000C601}2192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179519Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:30.118{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2A00-00000000C601}2192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000179518Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:27.292{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58528-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179524Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:31.727{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A757EF9C49966CFAFA6BF2699EE727E0,SHA256=A2422E3DE6EFB5ACD6AF9A3C8C21083EBF12E446AFF143801A9FA2FBFD859D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142704Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:31.736{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235983303055369E17C6E609398B6B52,SHA256=BED52929543DD53670314FA944F17F5F596CCE4B01929AA52B17D1A0A8813FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179525Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:32.743{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3196E777076E368AC75FA36D9B09497D,SHA256=480437444E4073465C02781878A0554122CAB4958063DE49BCFB0B075AAC5A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142705Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:32.751{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DAC92224F92CFEC858A409BB9CBEDD,SHA256=1D0041CDF2C3B85F2DF8FA8A33FE61C191C418CC3EA81CC277C732BB2D79EA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179526Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:33.790{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A18483ACA5FA77CDD069D42C68D1E4,SHA256=D785D9B82AC3AD4DA7EF5AF1957D7A2DD11688385CE126A3739EC4DEA16D912B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142707Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:32.178{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49957-false10.0.1.12-8000- 23542300x8000000000000000142706Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:33.751{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1215830B0D15CFA86F752C3709CA5A,SHA256=C24EDD2466F8F6DED3139595FB12370756F9AFAD66BD81EAE2A28C08364EEA8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142708Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:34.767{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8238CF5CD76CB35E09FF741C38C0C636,SHA256=AA107312A3F6F09BB3690D05FE0BDFDD8C0EF15A7DF8A581B933C02678BB3EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179527Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:34.806{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749ECECDC71A218CA92C6DE1FE51AA6A,SHA256=597FB2EFF38539D0896C22F528A60FCB2F549CD5B91C5AA2A5250CA0922631FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142709Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:35.782{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D839D7D718798FAED81A7C3AFCF569AB,SHA256=2F17205774CC594C21F3E13F6FC80B203285A4F7724B7E2A9C1AB40409E80D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179552Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.806{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D77E156840C9C809D3FE3C4E12FB83,SHA256=02D6C798EF6B4F2F8F85B14A395C9CB7A59FDE3A01277374D395B0277E9F50C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179551Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.337{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179550Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.337{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179549Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.337{5F1D3C56-362A-60B7-AF00-00000000C601}47684792C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179548Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.321{5F1D3C56-3629-60B7-AA00-00000000C601}43924572C:\Windows\system32\taskhostw.exe{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179547Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.321{5F1D3C56-3629-60B7-AA00-00000000C601}43924572C:\Windows\system32\taskhostw.exe{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179546Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.227{5F1D3C56-362A-60B7-AF00-00000000C601}47684536C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179545Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.227{5F1D3C56-362A-60B7-AF00-00000000C601}47684536C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179544Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.227{5F1D3C56-362A-60B7-AF00-00000000C601}47684536C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179543Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.212{5F1D3C56-362A-60B7-AF00-00000000C601}47684536C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179542Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.166{5F1D3C56-362A-60B7-AF00-00000000C601}47684936C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179541Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.166{5F1D3C56-362A-60B7-AF00-00000000C601}47684936C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179540Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.166{5F1D3C56-362A-60B7-AF00-00000000C601}47684936C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179539Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.166{5F1D3C56-362A-60B7-AF00-00000000C601}47684936C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179538Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.150{5F1D3C56-34F6-60B7-0F00-00000000C601}2881584C:\Windows\system32\svchost.exe{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179537Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.150{5F1D3C56-34F6-60B7-0F00-00000000C601}2881340C:\Windows\system32\svchost.exe{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179536Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.134{5F1D3C56-393B-60B7-5701-00000000C601}41245588C:\Windows\system32\conhost.exe{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179535Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.102{5F1D3C56-3626-60B7-A000-00000000C601}37643588C:\Windows\system32\csrss.exe{5F1D3C56-393B-60B7-5701-00000000C601}4124C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179534Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.087{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179533Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.087{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179532Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.087{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179531Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.087{5F1D3C56-3626-60B7-A000-00000000C601}37643588C:\Windows\system32\csrss.exe{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179530Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.087{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179529Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.087{5F1D3C56-362A-60B7-AF00-00000000C601}47685992C:\Windows\Explorer.EXE{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+20f260|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1700e0|C:\Windows\System32\SHELL32.dll+16ec6c|C:\Windows\System32\SHELL32.dll+19e878|C:\Windows\System32\SHELL32.dll+16ee06|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000179528Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:35.086{5F1D3C56-393B-60B7-5601-00000000C601}4160C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp\test"C:\Windows\system32\ATTACKRANGE\Administrator{5F1D3C56-3628-60B7-E8A0-090000000000}0x9a0e82HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5F1D3C56-362A-60B7-AF00-00000000C601}4768C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000179556Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:36.821{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B11AA94D049A4A0FDE2D72E426BE00,SHA256=A05D1DF4CC7EECF8D6FC7DC9F4C0FDFACECD70A5CCD7D703D54F7D73764F2378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142710Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:36.798{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82CA0C3EDFB63C58128A3EBF32D0D8A,SHA256=A33882474ACD76C6C80738ED7C1EA7B204997BC7F7FDD848C0CE6CAEA9A36065,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179555Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:33.183{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58529-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179554Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:36.102{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=922CC9646C8D9580904F297EE9FFD334,SHA256=552D63F1D3FA73CC763BE2F5AB04261F18000617A514C24E8FBFAE6B08F2321D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179553Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:36.102{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C36A7CD5486C2BBD16D65256A762EF8B,SHA256=C0066BD0D175E2D1FC547C3CC4789C99764B0F84AD1A66DD50C8D7BA5C6EF284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179557Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:37.899{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FA60BDB9DB0A31A5E48D04BE764A0A,SHA256=630F55E34B6B3519CFD33A747D945005A057C4B7AFCD6550F1B069DDFB30780F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142711Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:37.814{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0020A66F3AF1886490917DFE70E305,SHA256=CE391920FFE9F0411AE687C3112FA415D78C02E37A53763BDCFA45631A656295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179558Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:38.915{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC188FECA64DB225AAB9DBF71DAB8CA,SHA256=E8E749E9A6BFF73769C2B5E8305A43ACC6D638727459810428AAC060A7D86BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142712Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:38.845{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8D1F8FF02416B4E928CC769CB036E2,SHA256=902BEC53686FF7601F28C5AFB1EF3B97C2F027CA9750C3F9648CD01BB661037A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179559Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:39.931{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8261B578F2EC0ED9DE2DB8FCBACFFD5D,SHA256=5DA44329078582C1891D4076B3BA437DB826BF4B825CFA4CAFA8E18C7DFFE621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142714Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:39.892{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66069D48E06DB245D68528C3F364210A,SHA256=892A564A1D5A7FA493EABAAFFB7EEF238103E76F97962F84C3E11BEC0FA42F12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142713Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:37.193{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49958-false10.0.1.12-8000- 23542300x8000000000000000179560Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:40.963{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475C12E868DF6AB2EDA0512C78688FEE,SHA256=0129255296BD526A352F5CED83302DD052BE2BBCA1F5A82FF7704E1F40C4EAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142715Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:40.907{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0F5925603AF385B75ABFF26D3EA38A,SHA256=EF7D9E1B1D016E4C35D61F29CA17C9AD9940CF2E00B46719D48C52EF316ABC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179562Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:41.964{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D101D658FD8CAE6C2C69F6ED524ACE04,SHA256=580BE158DF9F5ED40FAB93E461B4035967ACC20460E65B0A97C2CFCEC6DECB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142716Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:41.923{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365729DB7DF096B876C39D82AE30295B,SHA256=1389DB3AF6D1C97E28DBB99DDFC10240DB5AC047D8BE842DB473B872FB3125F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179561Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:39.199{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58530-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179563Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:42.979{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6C077A7E51D867C4BD7C2881797EF3,SHA256=07992E2EC2ADB519164FD95E6C0E5AC2CEFBEE3E38BEF3537CC40E63A9392EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142717Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:42.954{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220B1FD933D7FF06E8A1502808E24FDF,SHA256=3144D56A77DE2D1157FBA16D327A3C94B3176581CF817BB1F0655D19CAB74EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142718Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:43.985{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076DFF22BECCFF5E17328EB1AC210FC2,SHA256=0D0CCF2C286921F6FD3E3505520A1994A67137C83B1B7FE238C84D43C7F36E83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179564Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:43.057{5F1D3C56-34F6-60B7-0D00-00000000C601}8885628C:\Windows\system32\svchost.exe{5F1D3C56-34F6-60B7-0F00-00000000C601}288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000179565Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:44.010{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2964586417E8B6D7795BFF6859AF0EA,SHA256=453FAD7B383A5D43D4A012412E70E2BA3FB93C8DC736A96F80178A8CED8243CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179566Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:45.011{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF2589C3577F899A46A7D6738EBF644,SHA256=B14C17D64F6FF59CC5FC3B4D7DC0C5D62C0EF0BCF8AC4CEA042925C9BBEEBCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142721Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:45.767{9747DA6D-34D3-60B7-1D00-00000000C701}880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=194A7A491F9AE18BFD91232C3DBF389A,SHA256=821528D0984405BC323B788333E8253B5DB6CE1350C79F9D6B19C88BEDD236FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142720Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:42.302{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49959-false10.0.1.12-8000- 23542300x8000000000000000142719Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:45.001{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B840C84DC56E26F1198869F77E7618,SHA256=C14C7EAFDECFBADAE58540F7F9BB4D67BFC9EDFA755C7E60666D8EBD4889AB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179567Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:46.245{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805FC38DABBC838DECC5350E814F36ED,SHA256=5D4F63077B3B6E0C605EC7DBF8756DD591FA5B5D30CFF9FD8CAE640DCC4F69A7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000142723Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-SetValue2021-06-02 07:54:46.814{9747DA6D-34D3-60B7-1000-00000000C701}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d75784-0x8e7663af) 23542300x8000000000000000142722Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:46.064{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9141D197A485BCF373BB8D6558D160,SHA256=F482F9067FEE6EB7AAF3DCF69C71DD226DFD63A391142C6592DD2223BB557420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179568Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:47.245{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C08FBCB0849156B245ADC95927E799C,SHA256=D287BCFC0E0FDB4399995859DC21991C5878A800C944CED7CF4295C9EE9C3B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142726Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:47.220{9747DA6D-34D3-60B7-1100-00000000C701}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=43437D7A7DFE879C047A468EF7B07963,SHA256=2766ED8D5443DCCBCE2E041B6F715C6441EEC83277C166F4BA186C373E725773,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142725Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:45.818{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49960-false10.0.1.12-8089- 23542300x8000000000000000142724Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:47.079{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC3E587CA1A41CD946DF7C979F0AC93,SHA256=CC76CF86DE7318E6C41782CC4EC46A1CC3021BC8097C81B8D1483541998CF346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179570Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:48.261{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A4D81BA30638116018B4E419DABB50,SHA256=695408AABFFEB2392E0EF4905346C4E285DBE26A9A3199028FEF2AFACA4AF1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142727Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:48.142{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52E6DEA6E3EF47DD1107A7A18EE5F81,SHA256=A08CBEDE416EA38546DC4DE3C1E4E94304808BA7965828D2A680FFEDB920785E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179569Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:45.153{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58531-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179571Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:49.276{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A9C4380736B62944CF05092A4D46A7,SHA256=8F9FD3FBD3B773EA7846079B76506C5A81482DCE4CBDAEC6F6A8090EDB1BF85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142728Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:49.157{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA295C4B059849089821A71110CD8C9,SHA256=ADEE26C8B345ED210846591E1D8039BB58361ED158E37DB1AEB248919DCDA79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179572Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:50.292{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B78BA46314B74E5B3FC4A5CBDFCC4C,SHA256=60403A6FBE35913E228BEC85B2ECF4BFD444BF221C0FCF65D0AC98195FA9E7D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142730Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:48.208{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49961-false10.0.1.12-8000- 23542300x8000000000000000142729Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:50.220{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728A55DC9B2A0177F6CE6DFA9BC8E05E,SHA256=BAC83729F5C3352A6D3AAB49E242687BBDEB342B2E202D1C318FFBA603CB674D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179574Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:51.355{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612F92ABB9BBFA18139567B5F8C932DF,SHA256=996C2EE7545FC53B98FEF999D1B3276E94ED6F5BB8A3EF6B6D2CC5DD1FADF203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142731Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:51.267{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5899E1EDEC8ABD3DE39D64095F0FB6D6,SHA256=41EBCCAB6DACD911F0D627D7B107E26D10A66312CFE240D96DBB8E7C7C980915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179573Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:51.276{5F1D3C56-3507-60B7-2C00-00000000C601}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=194A7A491F9AE18BFD91232C3DBF389A,SHA256=821528D0984405BC323B788333E8253B5DB6CE1350C79F9D6B19C88BEDD236FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179576Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:50.310{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58532-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000179575Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:52.386{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6256DFBD00AE63DA47D6470857A9F70,SHA256=EF9CAA5A6E5A699191D42516264DE01DEED5857B473998D4D70EDB8841BCB79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142732Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:52.282{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C7842DDA2B59B6AAEE94F3B4BF12A8,SHA256=4074D20BCD951FE086C7C8C9689D7773374931BFFD641131C0F0B074AB478D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179586Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:51.106{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58533-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179585Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.386{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCBE54000C8732CA66514391F84BB94,SHA256=FD63A55FF58F73B93C989D56C32EBEE3B7C96F5D16DBEB7C2CF1B12BE70F607F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142733Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:53.298{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D590E64059B0B1A1909ABE10BD5937,SHA256=DE4F4AE4B67966F928A0B5734C7ACDE25F7214BEF348DD0234629061B2752749,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179584Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.198{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-394D-60B7-5801-00000000C601}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179583Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.198{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179582Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.198{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179581Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.198{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179580Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.198{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179579Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.198{5F1D3C56-34F4-60B7-0500-00000000C601}4081252C:\Windows\system32\csrss.exe{5F1D3C56-394D-60B7-5801-00000000C601}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179578Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.198{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-394D-60B7-5801-00000000C601}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179577Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:53.199{5F1D3C56-394D-60B7-5801-00000000C601}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179598Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.417{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B005560A94F9C10FB838AF893032F592,SHA256=FA71F3359AAD9AB882E86709E64F5F309E7DDE6ED9F9991AE15B0074AAA1A6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142734Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:54.329{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E9510254811CCBFDBFE341C017EEE9,SHA256=960FA929EF6A497611CA59D4F5236BFB8F525B90FAFB6218A3FBC7C3B3EB1698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179597Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.230{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=592B709B3A328EBD32AB3A625D33C7F9,SHA256=29932255675701864907068C8A56036E310BB029D9CBEB66C1CD0666C607452E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179596Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.230{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=922CC9646C8D9580904F297EE9FFD334,SHA256=552D63F1D3FA73CC763BE2F5AB04261F18000617A514C24E8FBFAE6B08F2321D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179595Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.230{5F1D3C56-394E-60B7-5901-00000000C601}42844068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179594Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.027{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-394E-60B7-5901-00000000C601}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179593Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.027{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179592Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.027{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179591Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.027{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179590Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.027{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179589Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.027{5F1D3C56-34F4-60B7-0500-00000000C601}408524C:\Windows\system32\csrss.exe{5F1D3C56-394E-60B7-5901-00000000C601}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179588Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.027{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-394E-60B7-5901-00000000C601}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179587Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:54.027{5F1D3C56-394E-60B7-5901-00000000C601}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179609Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.433{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744B5FE4AB1B18265DBA56CAEF312583,SHA256=02B9436446B478D00C5E8CB8CB6E01D232206BC3C9867183ADDD0C0026C56F0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000142736Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:54.146{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49962-false10.0.1.12-8000- 23542300x8000000000000000142735Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:55.360{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C72B79C5FD0AB92BA1D982228BABF3A,SHA256=5FEC792DDF614F1C21317631C68CD7EF4075339E554488CDD0A405143F2FA887,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179608Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:52.638{5F1D3C56-34F4-60B7-0B00-00000000C601}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-410.attackrange.local58534-true0:0:0:0:0:0:0:1win-dc-410.attackrange.local389ldap 354300x8000000000000000179607Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:52.638{5F1D3C56-3507-60B7-2D00-00000000C601}2496C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-410.attackrange.local58534-true0:0:0:0:0:0:0:1win-dc-410.attackrange.local389ldap 10341000x8000000000000000179606Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.027{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-394F-60B7-5A01-00000000C601}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179605Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.027{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179604Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.027{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179603Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.027{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179602Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.027{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179601Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.027{5F1D3C56-34F4-60B7-0500-00000000C601}4084620C:\Windows\system32\csrss.exe{5F1D3C56-394F-60B7-5A01-00000000C601}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179600Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.027{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-394F-60B7-5A01-00000000C601}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179599Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:55.027{5F1D3C56-394F-60B7-5A01-00000000C601}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179620Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.792{5F1D3C56-3950-60B7-5B01-00000000C601}45045348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179619Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.573{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3950-60B7-5B01-00000000C601}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179618Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.573{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179617Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.573{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179616Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.573{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179615Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.573{5F1D3C56-34F4-60B7-0500-00000000C601}4084620C:\Windows\system32\csrss.exe{5F1D3C56-3950-60B7-5B01-00000000C601}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179614Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.573{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179613Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.573{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3950-60B7-5B01-00000000C601}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179612Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.574{5F1D3C56-3950-60B7-5B01-00000000C601}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179611Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.480{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6EE679DDE1A8A06399AE263C4BAABE,SHA256=55F11B290BF061D7AF8BCAB4C3E65DE62210534B00F03BBD92B270C091E6765A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142737Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:56.360{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BFC60B1C788A0112BE4E87C78DFF6E,SHA256=23DD8AEEDF7377713065F68556FC61C3DDABAEAAD90C618FFDDBD96D74E3CDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179610Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.120{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=592B709B3A328EBD32AB3A625D33C7F9,SHA256=29932255675701864907068C8A56036E310BB029D9CBEB66C1CD0666C607452E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179631Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.933{5F1D3C56-3951-60B7-5C01-00000000C601}61404952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179630Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.714{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3951-60B7-5C01-00000000C601}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179629Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.714{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179628Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.714{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179627Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.714{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179626Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.714{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179625Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.714{5F1D3C56-34F4-60B7-0500-00000000C601}408424C:\Windows\system32\csrss.exe{5F1D3C56-3951-60B7-5C01-00000000C601}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179624Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.714{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3951-60B7-5C01-00000000C601}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179623Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.715{5F1D3C56-3951-60B7-5C01-00000000C601}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179622Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.652{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7E975543ADAAF701A9CE63EC0EA6970,SHA256=C554E1F44EC5146B1AE18562925F810BDADC0AF59EACA61140D10A79F99ED5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179621Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:57.495{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C56572ABE2B985F3EC808C65B59519B,SHA256=4B8FB9C971D43A15365DA6794FE787D3AFF403F50FB1461B84A496F0F80FD6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142738Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:57.376{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E503C11E7A003BCC29E9F9B8E9683C7C,SHA256=A104B61BC629FA5912D2D58FBC374A867640C9FF621B78D284CEF5B047075340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142739Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:58.392{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2399066E2E36F1F87FC77CF4D3ED70,SHA256=16C5B22C24F56DDCF8CC983226E1A4418D6B2F9FE0ACF8A04162B73D52A5452F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179642Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.942{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7713DA07FD773678B2EE4F10FAD94524,SHA256=7CE7A52FCC60B1F81D68769025F3F13493E49290EF494833CFB1B85FB5AA46DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179641Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.551{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA095A46D432B6C9E6018C97F793015,SHA256=9890C42F6AC36EA9C2270A0C61C3121264EB9A6909D0AC31D0CB7DBFA74322C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179640Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.411{5F1D3C56-3952-60B7-5D01-00000000C601}52885340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179639Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.214{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3952-60B7-5D01-00000000C601}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179638Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.214{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179637Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.214{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179636Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.214{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179635Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.214{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179634Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.214{5F1D3C56-34F4-60B7-0500-00000000C601}408524C:\Windows\system32\csrss.exe{5F1D3C56-3952-60B7-5D01-00000000C601}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179633Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.214{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3952-60B7-5D01-00000000C601}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179632Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:58.215{5F1D3C56-3952-60B7-5D01-00000000C601}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000142753Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-3953-60B7-1301-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142752Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142751Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142750Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142749Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142748Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142747Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142746Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142745Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142744Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142743Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D2-60B7-0500-00000000C701}420536C:\Windows\system32\csrss.exe{9747DA6D-3953-60B7-1301-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142742Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-3953-60B7-1301-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142741Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.767{9747DA6D-3953-60B7-1301-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000142740Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:54:59.407{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E30F358CBEF1EA65AA939648FFFD9E,SHA256=72D806DCA303C3A773254818AB151497720B0F2B19E90ECC7B288F4F842302CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000179652Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.881{5F1D3C56-3508-60B7-3500-00000000C601}33083328C:\Windows\system32\conhost.exe{5F1D3C56-3953-60B7-5E01-00000000C601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179651Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.881{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179650Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.881{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179649Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.881{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179648Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.881{5F1D3C56-34F6-60B7-0C00-00000000C601}828104C:\Windows\system32\svchost.exe{5F1D3C56-3507-60B7-2800-00000000C601}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000179647Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.881{5F1D3C56-34F4-60B7-0500-00000000C601}408524C:\Windows\system32\csrss.exe{5F1D3C56-3953-60B7-5E01-00000000C601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000179646Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.881{5F1D3C56-3507-60B7-2C00-00000000C601}12803356C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F1D3C56-3953-60B7-5E01-00000000C601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000179645Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.881{5F1D3C56-3953-60B7-5E01-00000000C601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F1D3C56-34F4-60B7-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5F1D3C56-3507-60B7-2C00-00000000C601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000179644Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:59.584{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427D9C508CC4650862EB19670F8C44B7,SHA256=53D87E882A5F79606335C4942A2B2281FD3A9A6CF04432D8F046A9BB20D641FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000179643Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:54:56.309{5F1D3C56-3512-60B7-6C00-00000000C601}3952C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-410.attackrange.local58535-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000179654Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:55:00.906{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F511DD59DED3C607F9CD07C0364DF777,SHA256=15A403008562B7D59C110D9B5DF4307E6629F15D753EB894F8E9934707B76ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179653Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:55:00.594{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5122770CB073DB805B06AD34EBCDB040,SHA256=DF645FC6C8E038CA1DEDD0EB32572EC6757E1083F431FD6BBCB56846DA9BCDA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142770Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.813{9747DA6D-3954-60B7-1401-00000000C701}18162292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000142769Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.813{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33918D78BBDB039AD718CF5D96C49081,SHA256=C8E1D10D5A1C5EE40AE0F406CEB3E1FD1E9A8FAFA529BB6BAC1FA98910AFFAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142768Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.813{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C63F23F025769722D76E3420F6175E,SHA256=6C3E5527446B193D3CD276C8614946C2F62B5C60C51ACA16BBFAE1A74492EC8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142767Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-3954-60B7-1401-00000000C701}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142766Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142765Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142764Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142763Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142762Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142761Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142760Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142759Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142758Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142757Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D2-60B7-0500-00000000C701}420436C:\Windows\system32\csrss.exe{9747DA6D-3954-60B7-1401-00000000C701}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142756Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.657{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-3954-60B7-1401-00000000C701}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142755Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.658{9747DA6D-3954-60B7-1401-00000000C701}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000142754Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.501{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4D85AF664ED77039BC1D5B462B9960,SHA256=891B1C128B8BAD3067EDBFE0B945C00354E16565008A5C63890CA9314B81AF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142784Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.642{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7578BD3DE25FDF46CF74DF43C791BF0,SHA256=E63399B78E2C30E4DA66EEC3F79262E59A682EE0B6336CAF2742B615E3B9F29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179655Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:55:01.610{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C5CE9142DC82394316521A2B6AAFE6,SHA256=E4819482FF387CBF02460316CB20F9622B6E665B7FB4160647F799218143E70F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142783Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-3955-60B7-1501-00000000C701}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142782Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142781Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142780Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142779Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142778Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142777Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142776Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142775Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142774Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142773Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D2-60B7-0500-00000000C701}420536C:\Windows\system32\csrss.exe{9747DA6D-3955-60B7-1501-00000000C701}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142772Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.329{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-3955-60B7-1501-00000000C701}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142771Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:01.330{9747DA6D-3955-60B7-1501-00000000C701}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000142787Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:00.162{9747DA6D-34DE-60B7-6100-00000000C701}2996C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-672.attackrange.local49963-false10.0.1.12-8000- 23542300x8000000000000000142786Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:02.673{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249393818A92ECA5900F0F8D82BF0AFC,SHA256=B11C31D359F9356998660AF4B4B5B7BE5BE876B94601216536C2FE4698B4BED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179656Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:55:02.625{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D0CC9A12FCFC4E4691DAB72C95F0DE,SHA256=54CCF969E9621D7C7846F41CDD2FBE3F012EF09657874BCF26A67B2CAF7734DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142785Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:02.563{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33918D78BBDB039AD718CF5D96C49081,SHA256=C8E1D10D5A1C5EE40AE0F406CEB3E1FD1E9A8FAFA529BB6BAC1FA98910AFFAF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142802Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.735{9747DA6D-3957-60B7-1601-00000000C701}26202152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000142801Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.688{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D68E2DB813211A536F5D8320945CD80,SHA256=D4C06BEA9A5BAB0A0FE82DA758DDD64759F163D48F48A40840D32A75FA759063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179657Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:55:03.688{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A50223CE3A0934F94D4959ECDDBCDD,SHA256=7D64F32FEEA4EB91679DD2D6BDB3950908C8D8D52A8C0CA4449A10A14DF33373,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142800Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-3957-60B7-1601-00000000C701}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142799Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142798Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142797Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142796Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142795Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142794Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142793Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142792Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142791Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142790Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D2-60B7-0500-00000000C701}420536C:\Windows\system32\csrss.exe{9747DA6D-3957-60B7-1601-00000000C701}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000142789Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.563{9747DA6D-34D3-60B7-1D00-00000000C701}8803592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9747DA6D-3957-60B7-1601-00000000C701}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000142788Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:03.564{9747DA6D-3957-60B7-1601-00000000C701}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9747DA6D-34D2-60B7-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000142818Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.720{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66000FC816281AE6D8A251CFACE917E7,SHA256=38948F807D578173AA9E67CFC5F4319F24604679B1AA80F7689D3F4E1F305DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000179659Microsoft-Windows-Sysmon/Operationalwin-dc-410.attackrange.local-2021-06-02 07:55:04.735{5F1D3C56-351A-60B7-7500-00000000C601}3376NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF66F92F69BE553D769E88F87568A8E2,SHA256=D6CB1BFF1C81D6AE636B8E082C5E4AAD0D8FD87E9F81575A71A6BA96A11590A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000142817Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.610{9747DA6D-34E5-60B7-6A00-00000000C701}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDD77CD54682AA122DF8B6CDD7B78C0C,SHA256=3C38C86F673E17F01220715478E3CB906CC8D21FFC8B9FD270037AE45807AF8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000142816Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.548{9747DA6D-3958-60B7-1701-00000000C701}21204052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9747DA6D-34D3-60B7-1D00-00000000C701}880C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142815Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142814Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142813Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142812Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142811Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142810Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142809Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6D-34D3-60B7-1C00-00000000C701}1348C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142808Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D4-60B7-2B00-00000000C701}29322952C:\Windows\system32\conhost.exe{9747DA6D-3958-60B7-1701-00000000C701}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142807Microsoft-Windows-Sysmon/Operationalwin-host-672.attackrange.local-2021-06-02 07:55:04.376{9747DA6D-34D2-60B7-0C00-00000000C701}732844C:\Windows\system32\svchost.exe{9747DA6