23542300x8000000000000000158755Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.893{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C09D4B7A1639D01ACD3D0BC82028D2C,SHA256=F15B41B9C28EDE779D089759CC1A9E1A91CB483BE47C26DEFF310C5CFEECE744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158754Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.721{189417FC-29F0-618E-8001-000000000602}45404532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158753Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158752Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158751Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158750Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158749Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118252Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:40.176{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46013E6C085E71B3036C35FFEEAA644A,SHA256=3B587B45ADA4898FE0B30B14D4E56B8719476A20A91A58841921127F8A90161F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158748Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158747Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158746Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.331{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000158745Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:37.107{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158766Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.986{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04083943DF38A63C1AE6C010B9AB539D,SHA256=EF62D41136DAFA57518876F802EDDB461BA5E359942B40048D3836021C878751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118253Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:41.189{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D29666B8A3F68FF2AB66CFE34157AF,SHA256=6BCA29629F14E70B44C2CA621623AD741626B4839AE604900B4F678DBAEA7442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158765Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.596{189417FC-29F1-618E-8101-000000000602}48444900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000158764Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.361{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9D7AC5B60226DE304692754B2B9D6D5,SHA256=0BAA9D32B23430C4E3D892FC267CDA0973265EDF67EBFD70539AD604C15CE077,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158763Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158762Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158761Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158760Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158759Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158758Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158757Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158756Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158776Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.986{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B7337C6FF31E9F90BFCED50185F057,SHA256=8E388FB6D3553E672A060366DE03D4E4050E74108F97B1085EE1C7044989A60C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118255Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:40.716{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118254Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:42.204{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4DC017A56E0777BF96B6779001EE72,SHA256=FD85C13A074DE23424C6D38DE81C5D9208B95B52F7E7F1A3CEC7F44B00A99ED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158775Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.314{189417FC-29F2-618E-8201-000000000602}41964216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158774Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158773Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158772Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158771Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158770Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158769Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158768Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158767Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.112{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118256Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:43.220{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DCACF56BAF909DA5C72BC0F46DE66A,SHA256=8D9BA50C21175B3B5FCC2401DB626666E5798145A232DC7256F3F941B7197F71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158785Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158784Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158783Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158782Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158781Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158780Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158779Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158778Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.550{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158777Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.127{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFD14CE93BC31CB6AB4A68E68B2976BF,SHA256=C7499DBDE8388BB09E1F08CFC0F0A9C2A011C23FD897A6FCF72E326973521F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118257Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:44.236{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321DAE5667872B16439E17A553C0FA06,SHA256=6513C9C2465A50DBCB43C97B0107304AC79605BA98E9F2FEFBA6CFAE83BCBB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158787Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:44.564{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=069159AB98AB67AA14058844A965D621,SHA256=EE0018F0DD431FDD50B6299550927E0605E00241C836D4C720135EE9B23B5257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158786Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:44.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E6DA13DA0B8972DB9C5E9ECFDAB79,SHA256=19AA2147AF45F771A88929A11F46547950F03371D0FB4371BEE138EEFA551A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118258Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:45.251{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA441589288ACDF67ADA6B35C8C2B2A,SHA256=9356C61404A42F87680C6076A237A694BF83B9F747B159521CEE1A43EC6F9B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158789Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.279{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158788Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:45.049{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A95CA67F60168D3632ABC3F82E6CD7,SHA256=309368AF10A80422B3CFD3A5535BF862A9F4A8D07E2E375F8F0FFE4B4E96396D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118259Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:46.267{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F690F06715942332FD0C54A336D68FEB,SHA256=43B0AE108D4916892BA700970D3E5CC4B8446BE2ED864CDD5B68B4B9929F522F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158790Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:46.299{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B3095638E172D11A114FAA3942158B,SHA256=2BB4D62E900EC15D1EDC55CE13C697F174EC2EF62940CD921D5432793377BF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158791Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:47.408{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26D7014806043833EAD3A99620B5EF9,SHA256=F5C0705CFFC47267CFFCA739ABD6C57A0090DD5ECB3764CE82B3A43DB9938C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118260Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:47.267{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84B0EFAA27A03E76D9A7932BB458528,SHA256=CD378013BF4952DEECA6D492BDE86200F2C52F1348028BBBD5F52D4783954C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158792Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:48.658{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4BBFD4BF9D8A5CAF9EDD23F0E19BD8,SHA256=E25A56B7AD9254A70A03DC0443428FE79305FFD6EB1F7ED31CC9A98D7BA6365E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118261Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:48.283{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80D3DD0FFEC97FBCAC7F498F3419C51,SHA256=0B6565B8966EF4D603F821AACA623B02D2F17002A56F4D13EFAC3A133DFB7199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158793Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:49.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A42FDFA1DD4F982078E225DF2A07878,SHA256=00C4C5FFC83305152A554523C02F5555B272C977A81C69AF17F723EBD9800FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118264Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:49.397{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-027MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118263Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:49.285{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9329E8A8CF7F78971EDEC7B9761F9F3,SHA256=E4EB67F6BACD4E94A358168E9F20D467029594A8FC80C3512C916ABC08A5D5A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118262Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:46.575{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158795Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:50.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA286BCAF103709FC0ED13E5D44695E,SHA256=9CC794D50006D13D2C053BA671EDD25255A0BB3B8331942A1C11D35288482D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118266Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:50.398{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118265Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:50.287{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A221C3D8EA32735637411074E3C7DD83,SHA256=18AA8A53AD21270914EB21A40899A7E986770F07A9F49FE833D32E7142D83FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158794Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:48.154{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158796Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:51.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FC38A0F323691598CE4841978812A3,SHA256=6D0432C72AAFCA1129B5CD8590861BB257C01FFCFE9FC28A507EBD9F07B67D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118267Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:51.303{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6D9CF0EE4B4927EFD42C02B66BEB54,SHA256=2876695E8C50A2BE7E067329D8A09B620703961F28D18461AE7746F3D00A523D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118268Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:52.350{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D389B30515345DC9962B5D6DF085F384,SHA256=C8DA5D6F12639B8B5AD5AAFBAF9ABD64BA02FF9B5F645E935AFCB884237FD246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158797Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:52.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295CC0BC8E3BAA75F44A8F2798387CC0,SHA256=7EDDC7EB4B75C8E609B32AF354BF1545D6705A93A91F5909B418C41FAF2FB38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158798Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:53.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A864F22AAC98FFD298DC92D33D0C9,SHA256=4381142CE8E05A310013977C6673E01B8CD986684B22D425C2F412C7C5DB280D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118270Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:51.658{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118269Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:53.381{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10ED4D3A7CFE67818BF0D6169D8F494,SHA256=4DA4F803E6F607974EE26F30AF720FFED5468C31D3922ED4F225D5692CF234C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158799Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:54.830{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E181CF2E707F7F6BD08CC000F2C6AE85,SHA256=3F9813A59EA2B31E3990C6DABF2D7D1F0F61CB26CEC3CA67D54C16A053A1D89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118271Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:54.412{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D722249F40A509514F84758E0EB741A2,SHA256=87EE78B1EB0F1A242876A8AE15FA7730A58C477B5033526809E324EB35C6599C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118272Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:55.521{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF2949428E3B1983A1D8018BC9E3425,SHA256=2A4B1CA082B001F9764EFD606926E38268A7E714467D2EC52C786E3B4F16DF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118273Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:56.537{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD0D4DC8EE8268874037F570AB29945,SHA256=080E91B5D72A551E0E7C9F85E6326EF2414D98C8E4D281A2A3766E96D2E0FA17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158801Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:53.248{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158800Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:56.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8459A5408D9EB99A689208524A178B,SHA256=885BF35FE5EB42502FD0E5B0B5D33BA8641716EB3E4153155838B3460335F3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118274Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:57.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5770218BB5DFC1AAE47518DF83F085,SHA256=E463F1B3E5D918A6261C351054BAC2B996F0323C6EFD85EBDC74DF501D6D129A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158802Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:57.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA3F349A228FD2615B2B2DA6E507D70,SHA256=964E6DF1EB0EF35C2C2747B28F7B6B230B2F3F855D97F3B0500845F6D5869E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118276Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:58.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF71C0D0426809423EFF9708AB0A2B3D,SHA256=BBDEAAA071251B1D1452B3BB5C3A7EFDE4A45FF7FE5B892EB34D66484A48EED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158803Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:58.252{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0420EB29E8C3D65684B31087643A905E,SHA256=9492D233C977B06CBC6266140D19866F3529CCE1A0D2691A0AD8EF12CD030EA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118275Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:56.736{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118277Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:59.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882982284A0084C10960B15F90D74AEE,SHA256=0315B510E198B0E9BA80B6CB6B2E011B3811FFA01F4533E69BF1B535CC2C9C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158804Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:59.408{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F88D5C88B6D3B039B58943CA9C075C,SHA256=8F9D74813B80A6699650DED18560F8E40FB319D6F69ADF7BCB47CAF8DB1905FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118278Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:00.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF1CFF23BC2C9ACC565754FAC6FEA62,SHA256=FD2FDA56C87257B0C5CC2D4B5CB48F2F71ACA4BFA18B86237A73205481E5C64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158805Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:00.471{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B118B8B4D450ED6DFBB54E8FD94720E6,SHA256=3F79A8753580E5B91587419A79530937E72ACEE89BEBFEAC0B19D568B3796D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118279Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:01.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B41450EC585EDA115E2FC3D2F18E9C,SHA256=4CE686CA4B36B2A09DCA60E0B000FF2D2860E25469F0A0DBCE1FAA804F36A366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158806Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:01.705{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940073731243303C1E7CEF4F2FEA3DF5,SHA256=4150A29CC4E49193BA8E1F8023B0A2634563FF3E50E7BC1000899CF0B702F124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158808Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:02.721{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA3F2CB79EE30582EAE52D7BE4191CC,SHA256=86670F512D6128A6A3CE359A09147E8BD130BD3239FE57880D03528EDF4ADE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118280Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:02.631{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6E9B2757DF0349F020E783A84B8753,SHA256=50D96333B8CD5E977F39572EAD04739709035FF1F806EC872A7E47C517636F31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158807Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:59.201{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158809Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:03.752{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724E389D7E138304F26AA57E6B1EE6ED,SHA256=B59F55DB08BBF4325045363C3214EB7AE9FF163D49D276DF8360458F26596C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118281Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:03.631{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B590D3BB10A5BFC2FA699F079118DA,SHA256=97BBD55392AED134485D30FD9DCD45DF88763A243EA7FD5F3C1EF563C4154B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118282Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:04.646{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D198158D27A4C5BBFE83E9D8511238D6,SHA256=E1CBA06974F9109B759817E77875C2BAEC1E6278681842F78FD5A8511A962600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158810Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:04.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7375F7D161EDC2641943E87DD07B0E31,SHA256=226CE879C01E00FD0C79EDEE3489A82881ABEBF5BC59E76FCA2C4F87DE2D4B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118285Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:05.865{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC494B9FAACCA3EE92A7E372F7DB70C5,SHA256=3970B6633F5FF66EE10C3B76375FFF08DB2674304F55C2101EC461E7A10A04A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158811Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:05.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02A288D1AFDB156FB015126D6FF81E1,SHA256=5CCE076C0412FE8318762CFF70CA355719D4D1F430415BC8760FA3C3D53F9832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118284Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:05.615{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D92744A99524A0DA4F955BBFBE900218,SHA256=FA4B8EAA5B8D2C20209E0E7FBD0A5B7F753031BE2BE620DEE2072D3BD737BC16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118283Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:02.582{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158812Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:06.924{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5499D07D460A17A105CBBF6149533F4B,SHA256=66AB7C734E62FFF2C1A23E1D3CD59687576C46000E1E93154F27DDF16AD5E112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158814Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:07.957{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550B064E5229373377E4A5E727CA32FD,SHA256=5EF3D1A2250F005842D6AE61A955DB8D19FCFFC3C4E5E447696B522789612428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118286Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:07.021{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5303C019E4AAFAE8BFC90D7CD053899E,SHA256=398B60E0F2C6AA204D7B82EBFA53C656B790B6E709027F0D87BFFC26CFF29A9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158813Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:04.279{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158817Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.963{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6394374F0504289857D565F7FCFE1C54,SHA256=6ECAD540124D21BA3002763F3E2C9CB059569820A9AA1CAFC9DEFBEDD89EE672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118287Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:08.021{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D87FD1A1C7C1D434A45A0AF21CB59B,SHA256=886B24E91C5E748CEA4E405FE83BC64A2C49DD2F18AA42D479702FE2500D5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158816Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.682{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F03897E78B201BB00D24920085B5676A,SHA256=9F9B897F26F788281FC84A2D57BF3FFFE86590424D7A2A88B0C4D30A4A8F6FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158815Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.040{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-027MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118288Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:09.068{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7386CFEF9DA09FA64BFC9E2B46D9D24,SHA256=F2AB7AE286DA4B7984247EBC2DA363D69592703F4FE64BA6ED6B4E496D4A179C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158818Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:09.044{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158819Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:10.013{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6811B159643F776FE03C20C2023D0EF9,SHA256=99CBEBD331CEA87FA9E905304DFC87CEC44DF1C72D7209A1464023C7AA473481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118290Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:07.783{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118289Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:10.068{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2E85344D04BF1F33C9CD76F7F1C9F9,SHA256=E39164561902B788E64C49800F624F92BD72D63D3FAF8B11CC4D28742548E145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158820Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:11.060{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D6C9BB0B3E79A394DC3F3CF44E843C,SHA256=F8D6C7A0611C09182C755DDD726FDAB399580E54DC820062DF3BCE53468BF9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118291Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:11.100{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25871D9D393DB6DE4D45CF49F534C3E7,SHA256=F99199F77951B4D74663CDBC1C7FAF176567B40285C061AEECFCA8EFFB0422E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118292Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:12.131{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F6BB7B1B5D5F6D159D184182AACDD0,SHA256=B6CDC825277077ACD33449254E2BAA4BCE1A90C3F93D098F254A3D5FFFD6CC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158821Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:12.295{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39F8555D6AC07B8977EABE974FCB63D,SHA256=C1CC06F850472BC2FE2E3DC8504086BC557F67DB007A60E3C546AEA45BD5DAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158823Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:10.212{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158822Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:13.310{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBA193DDF4F0DE3A5C8A5DF5301B149,SHA256=9C411490AC1D55FEACB0C9572DB089C52B7C65529DE6D6819DCB497168DC2894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118293Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:13.147{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA03BEC8420BEA83FDF8550BEB37E35D,SHA256=E08DD1D9770C4D6FB2EFC771FA101A3FE217990E100BF79DE82CDC60F317FE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158824Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:14.545{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959BBEE90D739DE94FB7AD17E2394242,SHA256=BE50AA074241690E8123B72222DC5AD26278EBE02CF5C805400EBF1ADD98F621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118294Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:14.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BE6C7B55C9099B731D93F4D2101279,SHA256=7683DD17F35FE0027A399A48186192EC6C538441ABC7EA3B79FFDD3110A100D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158825Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:15.545{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51F611AEB15BE5143D2361EBECF90AB,SHA256=ED87D709316069B3B0A3ACDEBDCBDC6BE9289C26FEAE23E1795FEB2C9A28C160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118295Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:15.225{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B54C917C87DA047748489C91060C6F,SHA256=622747A97F97A57160E5C19138AAE2B7043A7174398072C03E7557FD051D025A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158826Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:16.576{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432A39449E5B025F785C8BBD2227B1D5,SHA256=3B52D3B0A9EDD866AE4C57ED3B7D51D73C837660C9F5D0A1CFC602441DF3DE71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118298Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:13.768{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118297Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:16.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7455D2954D89B521D6151E694B3861E7,SHA256=4D149E6A84B961B12E589A5F6070BDD46C2D61EA85F29E34A18DFE2E5573A6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118296Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:16.225{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158827Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:17.685{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069AD00A5902586FA5307CC29B009527,SHA256=005E56E5337D2DDB671CF7D229E5556DF74734262BB638A5267939FB7902DC43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118312Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118311Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118310Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118309Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118308Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118307Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118306Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118305Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118304Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118303Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118302Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118301Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118300Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.804{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118299Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.490{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CFFDC481229174E9465E4EF1F53B40,SHA256=D8B9656721216F2752D806381CE1D8E9489DCD804FAE5DAC508740AA1475B1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158829Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:18.935{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF20DA9CBAC1F34134A8C636EAB323A6,SHA256=E905CB753F75A76FF98CE44832F274642F84E9CA8A43ED264B362F0F035C8201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118330Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE00CC9A65700322E389E84944BBAB0D,SHA256=414F89D85C4DB040C4F7C768BA94ED5492F399CEF64BF6CBBFC48AC4A4F6AA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118329Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEA8C81C8D6932EC4687914E32BB651D,SHA256=786EFE1144E6843AB47BF9497A9892158B5E2157D57263449F3D1E773D729153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118328Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-2A16-618E-5B01-000000000702}1880512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118327Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118326Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118325Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118324Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118323Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118322Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118321Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118320Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118319Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118318Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118317Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118316Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118315Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.663{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118314Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EF42D228235BBE9A8FBEE3B782C656,SHA256=3401CE3C8AC0D92E71F27A53C38D06D6FAB2704609C8186C75F5F447B63F9CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118313Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:15.752{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000158828Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:15.228{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158830Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:19.951{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8495BEF5B646C97FBEDD1E5B00943B8,SHA256=CC72B06B2D5C19128679BED4C1FC37B55B9512C29A06867075DE4BD562D15755,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118343Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118342Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118341Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118340Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118339Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118338Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118337Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118336Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118335Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118334Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118333Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118332Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118331Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.335{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118345Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:20.350{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE00CC9A65700322E389E84944BBAB0D,SHA256=414F89D85C4DB040C4F7C768BA94ED5492F399CEF64BF6CBBFC48AC4A4F6AA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118344Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:20.022{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D35531D7651B8836BCB71579AF50056,SHA256=3B5E3A38AEA11FEADD770C300F659DF1C315C4B8BA5B8A40EF840B6F0EE79C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158831Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:21.014{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC1D8213481E397DE45B2B379108BB5,SHA256=66B580B65227B28B9D145D0A47C0AB9DEAD28B8A442E3282178C893CAECDBC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118374Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118373Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118372Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118371Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118370Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118369Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118368Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118367Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118366Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118365Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118364Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118363Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118362Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.835{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118361Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.611{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000118360Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.287{147D18E0-2A19-618E-5D01-000000000702}37083344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118359Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118358Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118357Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118356Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118355Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118354Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118353Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118352Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118351Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118350Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118349Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118348Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118347Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.132{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118346Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.115{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23067763B465BE50448412EE22873E56,SHA256=AB24A42C276A1C96FC90A046BB466F2326F7F527D2D8316B4CED9DD0846212B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158832Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:22.045{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA273DF45CDC62C8256649B69690097,SHA256=4243CB73B05A0E18E305F430A3C5DB306216B1E1DBB3760CAC04D26FCF7AD020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118391Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.662{147D18E0-2A1A-618E-5F01-000000000702}40602836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118390Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118389Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118388Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118387Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118386Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118385Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118384Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118383Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118382Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118381Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118380Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118379Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118378Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.507{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118377Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085C81346A4B2F052113D9462B2966DB,SHA256=12C5E407645B20D0F219C6677589C2E7FC7A22CA112CDCD8231BFE83F0FFC4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118376Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.147{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E45C4030B0E21D1CCFB94247CB57C7B,SHA256=70716189DC2EC9468C65643F13C87C8D40F1970D962ED5DCA11CA0673D23CAD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118375Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.006{147D18E0-2A19-618E-5E01-000000000702}35523696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118393Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:23.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5BC9D6ED073268788AB918B9EE2900,SHA256=6C6F83C0B3A4C5F548518D488B4F20220A59D93BD151E81175534D9AC3D43C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118392Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:23.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3701E72CC84BAE6F4356F056E809481A,SHA256=D5CA088D41C6E9D943DC6FA17B655058900299D84D1E3A2E5B853F985031FA68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158835Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:21.119{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52814-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158834Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:23.357{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158833Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:23.060{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BF83750CD7A04D87C3C9821FAA7EDC,SHA256=86FA242C76E5C333FE5875088D2E45A7361E188662D03D99D18477DCAFB066F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118407Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4426C9E49BF10A442D0807DA918514DC,SHA256=FC326811141A7AFD321034213B8C62401CAF3331AF9254766ED6A597BEC21EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158836Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:24.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC6F8D56BD61BBA11D1F68F7AB27A3F,SHA256=C02058A5F03137B549D9C057C346C862E2A53EDFD1DCBC2A76C50FBA46139BDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118406Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118405Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118404Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118403Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118402Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118401Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118400Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118399Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118398Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118397Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118396Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118395Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118394Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.304{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118409Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:25.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D89502B9B94D9D362A5AA5D969A477,SHA256=7546FA88CA7266B65DFF8B48DFFF1474EB415FE61F98D599D4A428427E0D05A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118408Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:25.365{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EFF8C144769E69AE2489FEDEF21FB8,SHA256=1EBF22CC0444D252B0F23FE8EA1345EC983095E70981EAD828037227866EFBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158838Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:22.369{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000158837Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:25.139{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8EFD855E97FAE7ED1FEDE12A40B274,SHA256=E579C2621E495EFC4F80375CDB85D11B31DC453DB3E322192F6C72465111817F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118410Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:26.443{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A21A89ADCE572FCDE341DB8E3D34A,SHA256=2C2815B378B0CA7ED5E98479F941B8592B8876D5D935B068C892ADC9F00CEA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158839Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:26.154{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F5BECA95783182F346D117F0F2DEF7,SHA256=6D7D55A081C65CA1A4DE7DE1343595BE23286C876BC91D0B4EDF044866B3AD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118412Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:27.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C868B8AB00A8FA3408256A746A9036,SHA256=70CCDF391124355A9C8131C52A867217E3B295E90149AB2E5B0479F7B604589A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158840Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:27.170{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F81B9FE61CF4A93C6AF4BB18769817C,SHA256=48B895E8284E28D10A1EB809C07C7DB8A53149666FAE588643F05FCCE2107894,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118411Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.720{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118413Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:28.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B53F6283F56F7B2F8A86CA1213456C9,SHA256=4CF7C731BBE44ED2172537150DD8C5ACF2F7FC9F6E834E26AFDA1A40CB761281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158841Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:28.170{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40E0F34F3D7004CFF04EBBCA6807A7B,SHA256=E5E8626D170D0EE09249E87F4F8F7630C66A9794610B8AF6D1EF4B5463A3E2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118414Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:29.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C3BFD96BD424F6DA671476DC4EB547,SHA256=C66BE067FEA65495B1A52DC8288294BD95E33C72C911E0710F4FA7288ECFF28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158843Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:29.185{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E629280630ED0A434D12D522F56C8AE,SHA256=45B7C5B73A568024D7F9AC275990BFC9BDCDA410EF4BC944977280B07C47C2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158842Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:26.228{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118415Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:30.662{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D0DA09570979F9B15177540FD2DB80,SHA256=EB9773D49EFB947FA0BDC6B47408C3F4E2C2CF74F33A122C44C6B182B4B34427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158844Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:30.201{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211C54AAB9B8E216CE4BBC04953DB1D3,SHA256=7520FAC93D7A65EA47196556008329A4F427034735C4748E77A7C7C3E341851C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118416Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:31.678{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1733F75EC590091C8B0EE5DCDC832A28,SHA256=43359E396515FE5B187C7D3B60B58963A5F9113EDBEF2DB8D1018D8B9180F9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158845Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:31.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E323E6D92087722802C4CA933BE9AB7B,SHA256=7736E822EDFDCAFA37276766F42CB9F0D6A256877475A136C1155CAA51E5972D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118417Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:32.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EE040934AF47E9E9E813F53EE255BB,SHA256=8817DC4039AFED2F771385F752D316F212993BEBD71BC48FBB8F8B7E4C7A220C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158846Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:32.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D395328FBD5931DA1C94887A0FB76772,SHA256=30750198875509A5772671BA45C8E1367DDBD35DBE5FC47D8E10F8CD98BCC36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118419Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:33.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AC4C589060759E5E2A7613C08403DC,SHA256=82FB15876CE31DB38E6189C76E13ED80A00877452309BB90FD6815533587174C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158847Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:33.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FF4692009EE83E9F3B6003448F9A32,SHA256=B64781796BAE9708509FD5860D565C9DF9DF396CCC3F07CD547F1FC53CECF80D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118418Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:30.595{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118420Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:34.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD948F51F83D5F8F3B98CEB5B31D726,SHA256=062CBE32E67DBE836B56AA951719DB3DD40100838121E28FA52E6358BA7E7BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158849Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:34.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F1EE8D145616E67C2B369CB72EA580,SHA256=C1921104E1F9E387CD932CBF8E279B83A42D9745D7F2D9F04123592B6FC5FC81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158848Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:31.290{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118421Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:35.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BD909E30CA54BE37D72D02F161E15,SHA256=99C92FF0DD87496C90FFC10ECF40182F18D0EE60B14EAB25233A348C0E0F1FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158850Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:35.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5864B7DC429C11F57AC67683C435514E,SHA256=3954AE3B7E18A282785773975804FDAB9FCAEA2173341ACB8515C7A824EE0D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118422Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:36.709{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD2CDFAD58937D7F5365149E2225DD6,SHA256=2B1A63937AC66CE943F7B498662CF1372B41D3BAB661C139C04500BA00B71705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158859Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158858Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158857Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158856Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158855Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158854Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158853Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158852Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.921{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158851Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D368699380D6A5A367E83301959175FF,SHA256=6C33FD55FD1C96B37AB93A71E6B23353DADD2D501232FBEF76A3B2C2FFEB423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118423Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:37.709{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FAC9BE3611911AC75933D6B4DFC2B50,SHA256=FE6BBAE7E8C358733D2428F3273F51E569AED3BBD520AE946CA331AD02233A3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158877Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158876Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158875Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158874Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158873Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158872Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158871Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158870Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.921{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000158869Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.670{189417FC-2A29-618E-8501-000000000602}46441160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158868Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158867Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158866Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158865Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158864Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158863Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158862Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158861Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.421{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158860Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FDE827320010FEB1BE2E983D68695C,SHA256=E6A8FE1A3C61EDACA0E5D4866BACFCF13109567A699D40DABE3EB4A5448F7705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118424Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:38.740{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB08175BBC4CD69FC891CB3104A4CF4,SHA256=F16F300A4E620E11C9FBAE35B79C8CC74128A455F1EFD37D896016C0F7DE8AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158880Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.248{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9976734FA46DE5225B6CF358CACA4C7D,SHA256=A61F4617A008F52DFF04868D7E723DCD325481F8978607C1333B01C11DAF173E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158879Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADD1B137AE7406DCDE7B9CA4491C9A1,SHA256=F77292B59C40AD3C1F90FBF7FF6E99CCA18537FD14A4CBB464C21C4ED7D608FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158878Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67BAB86E9BF7A3279C365F34B321A3AD,SHA256=490A26700725292D4E837B1D41C5B6AE6E05F50D31C201602D3EA803A1106B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118426Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:39.756{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1D91A7D61D05E2D385C0F18928EFED,SHA256=1FE92621C2DD17ED6EA76DBD2F75F13538B1CBE2F6ABB2A4D2C74F15F3428A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158884Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.119{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000158883Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.822{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52818-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000158882Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.822{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52818-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000158881Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:39.264{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C92B81D446132F0EBCE3EE5094E6DF6,SHA256=394B0B9D133190E79EFEF5308943F1464BBECA59739007EC39CA853D2AE17FB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118425Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:35.674{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118427Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:40.834{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE6072B00C434C7B34F2F870881B6E9,SHA256=DCA2D76E810E9963574EF08DC15ED3BA1864733E69781AB758AD83DB42E53B86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158894Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.529{189417FC-2A2C-618E-8701-000000000602}26243348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158893Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158892Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158891Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158890Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158889Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158888Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158887Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158886Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.327{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158885Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.264{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F70EDC7DDF55E144B47544F4B2E658,SHA256=07C3243A3A74AC1E218E86A3DC2B5DA461A6CA422C95900C9A3966F5D122E790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118428Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:41.944{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF1DB58F4FB5B59672184D83A77DAED,SHA256=BCFDB60771A8BEF27D1C7C68A2E83AD898337C07A4C1A21337E0F6C8970C8A9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158914Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.670{189417FC-2A2D-618E-8901-000000000602}39281124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158913Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158912Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158911Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158910Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158909Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158908Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158907Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158906Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.515{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158905Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.342{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADD1B137AE7406DCDE7B9CA4491C9A1,SHA256=F77292B59C40AD3C1F90FBF7FF6E99CCA18537FD14A4CBB464C21C4ED7D608FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158904Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.279{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BD280425EFEEB3188C8C3CBBDA457D,SHA256=A8E716EFE6D4C7B1B2A0C3E597ABFBD5DBEA5FDDDC8EF80437BC9A2165569374,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158903Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.217{189417FC-2A2C-618E-8801-000000000602}50244552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158902Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158901Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158900Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158899Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158898Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158897Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158896Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158895Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.999{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158916Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:42.733{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E8F1B3BE3C2D4A62D299C5C5E81880B,SHA256=7EBE60C7FFFB1366E62BB56EDA48334847A13EBD75BAF5817C90BFE9C3ED66C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158915Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:42.279{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9C4B4E67A46487CE3A200268AD1F86,SHA256=D9E08341F4CA67F94DAFC1C43A9C94ABC4C298344938F82577945EE88226111B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000158926Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:47:43.592{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xf54d882b) 10341000x8000000000000000158925Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158924Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158923Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158922Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158921Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158920Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158919Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158918Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.546{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158917Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.514{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EE1960E740D38C3EB32CC73B52244B,SHA256=18C55106C8F734D6D1DE3D682F2C1C9FB29E951C6F4BCBC6C71B3CC2B9ACCEF8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118430Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:47:43.319{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xf523d583) 23542300x8000000000000000118429Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:43.069{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC7E16710E0FE008E076ED947FC7EC5,SHA256=F23C51240EC1BBB8E8F032583CF34DDC326C302C4F9C1F7A954F7557D1EC92FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158928Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:44.717{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6777284CF8FDAE9D635F7F55A7380F59,SHA256=51563E58FB6C3A8D2A9499C42B4E4B57CF619F8BC31E4F3FA7C05A4F5A05D8B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118432Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:40.783{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118431Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:44.100{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CEB70549344E1AEDA9F818FBBD0097,SHA256=6CACA5866C2E00C5592A473EA7CA3F96809A1A0562CB113599747B642BC65884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158927Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:44.576{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6E4A0BA3F35BD170DBD5BDF6990899,SHA256=D34FF4564A1654C4EFCF5984BC22D2799267CFC2C25118B3FA1F987F3135D9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158929Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:45.768{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF6DE04CF01E597DA6001DD42D59470,SHA256=419669FC453DAB29FBAA51FD6EB66C35BA0020292B2982C7E3D544F5935B2973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118433Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:45.131{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563FD05EA51D9B8300853A2CBFEC3A8A,SHA256=FB61A56D1947D441CCC69FDE4C26BC9D4C564B2CE817C24FB5D1D80728C7192E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118434Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:46.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BD612768B5C0AD46D83B3C63C5F2DC,SHA256=4509786F4B77C0F508F36D49B499139C20E25AFE2621BC4E7AF29C9BCA2304B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158930Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.087{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158931Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:47.002{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B571B1339DD823955EFE76899BCBA2E5,SHA256=D4DC5419EAE339853CFEBAD32AD23DECB9A4CBA326BF3C807B27D2EC5E19B46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118435Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:47.428{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6F1C2AFF92457BA8B016233ED8437A,SHA256=4F2DAD100A82B9EB1C1F407C2348F36A635AFBF85977889EF4DDDB70BDFFF65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118436Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:48.444{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFABBE3E8B1D0C6AF50C6567D6DF3E3,SHA256=B7846A3013DF753BB5786315B1CA936DAD8B0FEC999CA98B1A10BF7A1CC11C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158933Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.596{189417FC-233D-618E-0B00-000000000602}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000158932Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.237{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3CC45025A36D78B549EE8999F9AE77,SHA256=27B56A1739659EDA5A231D9E90134E1BE15980A32785E7B96C2870F10CA8E685,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118438Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:46.736{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118437Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:49.459{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9491CABA4EFB322B6B8A633FE3FE4565,SHA256=AFBE098A7F3868AB6AF142CFF9FE4B302BA722F782ED54340AC3B8076E350E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158934Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:49.284{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F370901C5C83CEA86F473BCD13984,SHA256=553F56915A4731553EAC87580D4C4762EB9D5CAECF49A29E8D071FD274BC5733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118440Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:50.917{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-028MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118439Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:50.695{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD38BD480DA526C7E466E6D948033DE8,SHA256=52B20C3EF4A041B3AD2346A741A0FDBEB9F0CB1F7D4314EC8BB619B690218EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158936Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.150{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158935Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:50.315{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842A457089CBCF665F835D4F6285ACE2,SHA256=28E1A1F2E3371AFD0D05A978B4B96EDE856F181C6477529F903AF1941BD1855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118442Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:51.917{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118441Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:51.744{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273A0693D40629EC692DE728E6CA8A6,SHA256=8DF4BC7B658AC402662F81AB74E6D7D7EC64A93993BB0421DED1E58AFA184F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158937Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:51.409{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A4C975D9BC68CACA4F1A4BFED063FA,SHA256=1F7A80FF3547EBD105A10DA0A1D5D3C7F9BE7D6EB7FE877B97A7D75839FCE962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118443Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:52.760{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B140A75FEB9E5125E8FDD56EE92DD2F6,SHA256=22F3F1F5FEE60501E15FC99735EA2797810C4343775DFCF49A73B6E5B3992B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158938Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:52.424{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F93E71D1AC1DE80DB4AD6BB205FEC8C,SHA256=4124076FA560A470497F8702BF9C9FC744588EC80615C94AB234F129E108DD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118444Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:53.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573B20DA38C47A8A1B8EADA18F3E685A,SHA256=3522B4087BC0F13D65C0904BC87B261E179DE37F18C3F0DC93144EADD51F59FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158939Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:53.440{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A99AB868AFF5E2F592153DD13DFF0B,SHA256=B30933430F2792FA43847D1E21D87F7714650DAB4ABB611FF41B968437E01F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118445Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:54.807{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F4DA1CBF0DC768A92A9C89D7789A9E,SHA256=94301B2B038AD58870FE0113CBF00D71F58F04E0F772612703C4F7966D87728C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158940Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:54.456{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE6CF23CBCCD0591D1DA1B629FFF3DC,SHA256=982CE9C8D873EEB4072DAEEE82F603F6B9AB71909E93BF0D40A2AF951DE659EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118447Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:55.885{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45B264404D3D8814267C67D506C8FA6,SHA256=0F7EF4A15F8A386E2AD47A0CD2ECEA5F24C724FD9FD7E1CC8EFD61E720BC88FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158941Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:55.471{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1947B55D9CFF4D2417AB3E3CD2F58524,SHA256=1FF1DD1822A2549E631DE4F1B175C0FD2ED75C38755ABDF7ACB8691EC0E4F5D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118446Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:52.615{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118448Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:56.901{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06D66A8C86AC5AF9787E22BECD4330B,SHA256=5BB21418E637882B9DF882F7F92C1EAE2376FA784C5180C66863BE0451088E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158943Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:56.487{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B90DCA7A39D6C1D7DCC4C56E283DC,SHA256=45524F1EB5B7EEEB0530E5461B02326FD6BC4E80B7751AE20226577BE757D1EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158942Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:53.244{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118449Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:57.916{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCA40EA73E9816A899D2C38CF13EAD2,SHA256=6C83315357DC0FF719457C717468D1F11BE452BDA19AEA8F775A651EA6AB89B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158944Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:57.487{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022B3ACDA6B886A291CF236F6C0B725F,SHA256=365A0246F613D5E1ACF730452EC63E2C022BFE24403EB472F010B6C97D8F911D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118450Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:58.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C30DBFA1185714180F9D7E12FBB8DB,SHA256=B273E77176FDBEABA31B1995EF33621E2288495ABBF5D518BD232B9C19DE13E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158945Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:58.503{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CABD5B8972A2D127B87CA7A7B050E0,SHA256=5863504DD481F34F07DEA8D07853ABEA7D256AFC6039C4D3C816708D66CAEC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118452Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:59.947{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16FB5FEC5203A1A8FAEB8C587D1CE1B,SHA256=98FFAD7A9C02910B62BFDC94FED6E9B54415D1BF58DB39B929DB42524F8A786E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158946Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:59.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E26782D59DF55FB775C8B9F7768FF5,SHA256=CCAA52072DCA39E83BF52E9DB350FFA08BCB2BAD0080D02BE42356E62C6239DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118451Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:47:59.322{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xfeadd471) 23542300x8000000000000000118454Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:00.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A80781EA5045650D77890B8CD49119,SHA256=FD0770ADF545CE9416BDDD31887008596A0BA911B7CE1259E73E7FFD57AB6AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158947Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:00.753{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0FC74CE043456BA0F9B90CAA9E31CA,SHA256=60598E8E1854ADA491F54963A847B7371249E28BEAC3395CA10BF1B0DD42E3B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118453Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:57.771{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158956Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.768{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563D156A60407C28C84E10D7E64C68D4,SHA256=745EB84A8F822B2B7BE55171896A4C37C8E29526BBF0392FB5AEA365F7E8A71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118455Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:01.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51911F1F0B18EDFEB3BD97590484ABEC,SHA256=A620C67AECF1533F2689D6B5AE71A37C78EB66813400108499766CC02DFB23BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158955Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-29A4-618E-7301-000000000602}49281336C:\Windows\system32\conhost.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158954Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158953Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158952Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158951Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158950Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158949Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-29A4-618E-7201-000000000602}42484444C:\Windows\system32\cmd.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158948Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.209{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\System32\ROUTE.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Route CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationroute.exerouteC:\Users\Administrator\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=56AA12B243152DF359E79D143F248F1D,SHA256=BFE7A626BF3B9080997401969954AE0376476FD220E80CC52707FF31CE827D53,IMPHASH=B4266771AA756897B5C9C266177A6A5E{189417FC-29A4-618E-7201-000000000602}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000118456Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:02.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8D94158371D150FA742F3F559DFB9B,SHA256=DD9E55B0B6F0DC7C2907EDD642DD36F1B6A0D49C893A2CBE163A328391DE3255,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158959Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:59.118{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158958Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:02.221{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEE9AE12ECE8A28EA1191BF43B52613,SHA256=AD74740D1B8D5A92AAD2E7A55D174628D8D358AA869164C1388359956218806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158957Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:02.221{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3528A095A552431D92B8B6FDD05F5F58,SHA256=B44B1320A117A138F350A7280A0398F8426521B0E8F0A98E09031A20D887E5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118457Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:03.978{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDE1BE3EF939A9E0AD7B2774C46505D,SHA256=5803137ABA0779BB3A559800F8F5C3A95265AFAAF3BC6A25654A3274537DFE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158960Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.003{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E17BF7C0C3B847DA942706DF9AC07C,SHA256=9C415693171E40C58D57266B594453E4A1BF987D06382FE23D6471B34A37E185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158961Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:04.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F70D0EF5381C9B4EF4C75BDE5E3A4DA,SHA256=6731CB2FD401C6FDCD2D85CB7E4A6D9CB044F0A459ABD67AA3D8E1CECA1D4FF0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118482Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000118481Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000118480Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000118479Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\FlagsDWORD (0x00000002) 13241300x8000000000000000118478Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\TtlDWORD (0x000004b0) 13241300x8000000000000000118477Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\SentPriUpdateToIpBinary Data 13241300x8000000000000000118476Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\SentUpdateToIpBinary Data 13241300x8000000000000000118475Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\DnsServersBinary Data 13241300x8000000000000000118474Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\HostAddrsBinary Data 13241300x8000000000000000118473Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\PrimaryDomainNameattackrange.local 13241300x8000000000000000118472Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\AdapterDomainName(Empty) 13241300x8000000000000000118471Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\Hostnamewin-host-29 13241300x8000000000000000118470Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000118469Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000118468Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000118467Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000118466Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseTerminatesTimeDWORD (0x618e3854) 13241300x8000000000000000118465Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\T2DWORD (0x618e3692) 13241300x8000000000000000118464Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\T1DWORD (0x618e314c) 13241300x8000000000000000118463Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseObtainedTimeDWORD (0x618e2a44) 13241300x8000000000000000118462Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseDWORD (0x00000e10) 13241300x8000000000000000118461Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpServer10.0.1.1 13241300x8000000000000000118460Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000118459Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpIPAddress10.0.1.15 13241300x8000000000000000118458Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000158962Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.049{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF79DA87E0A75F7405193EB382742EAD,SHA256=7BACF823785D6E2B5CCC33E5854B20AEFAF405B0757C4E4DA4A9F036FE4E4D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118484Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:05.619{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4F4EFCD11DE585C27A7FCD90EE950D89,SHA256=5E9D1848F2CDDE9D1E28A63E4CA5E057A166D7970E86F72A90DCADA6ADEB74BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118483Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:05.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C586E5746062B8C3B57949ECF41C50,SHA256=AEC99EAB98CB8A89DBB82D88F5E53970D50C1479F2164DAFF1EF572CCA84885A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158966Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:06.503{189417FC-233D-618E-0B00-000000000602}640692C:\Windows\system32\lsass.exe{189417FC-2339-618E-0100-000000000602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000158965Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.796{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2964796- 354300x8000000000000000158964Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.794{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2958308- 23542300x8000000000000000158963Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:06.065{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F08511017057A78F4CFB8A379E89718,SHA256=6A77BA9AFD5E95F5DCF713A783D821DA98A23E95D69A56F39D9957AFC0F9EC96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118489Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.320{147D18E0-233C-618E-1400-000000000702}748C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9870:38cb:8c6:ffff-58485-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000118488Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.320{147D18E0-233C-618E-1400-000000000702}748C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:424:c2dc:82cf:1fc7win-host-29.attackrange.local58485-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000118487Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.302{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-29.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x8000000000000000118486Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:03.740{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118485Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:06.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A4147EC74484C0C7066674C678C31C,SHA256=85F5C1C986BBD4E9F0EED4F3DD19F457A7B876B7354298920A9969D50FB018EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158970Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86CD3F6A81EE8F903EE7B2A9358D17E4,SHA256=BB3F8196F4D93BA4CB373B4925F34C70968F74C901ABDA795F85F9D9F64C3043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158969Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEE9AE12ECE8A28EA1191BF43B52613,SHA256=AD74740D1B8D5A92AAD2E7A55D174628D8D358AA869164C1388359956218806F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158968Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:04.275{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158967Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.096{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26916DF6359C8A7702F5B9483078C239,SHA256=C8EF544DD081E28864D536ED52036A3DD5686E73D462057050CC9A1DC24AAD74,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118500Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000118499Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b9027) 13241300x8000000000000000118498Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d799-0xa156ccb5) 13241300x8000000000000000118497Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0x031b34b5) 13241300x8000000000000000118496Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7aa-0x64df9cb5) 13241300x8000000000000000118495Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000118494Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b9027) 13241300x8000000000000000118493Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d799-0xa156ccb5) 13241300x8000000000000000118492Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0x031b34b5) 13241300x8000000000000000118491Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7aa-0x64df9cb5) 23542300x8000000000000000118490Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:07.025{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF1A4DFA4D98BDA21451241572B3923,SHA256=333C90E0530E4AA61B7D4670C9E5A424E6B66FAF9EFD902159BE4D73BF9A3605,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000158989Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000158988Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000158987Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000158986Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseTerminatesTimeDWORD (0x618e3858) 13241300x8000000000000000158985Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\T2DWORD (0x618e3696) 13241300x8000000000000000158984Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\T1DWORD (0x618e3150) 13241300x8000000000000000158983Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseObtainedTimeDWORD (0x618e2a48) 13241300x8000000000000000158982Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseDWORD (0x00000e10) 13241300x8000000000000000158981Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpServer10.0.1.1 13241300x8000000000000000158980Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000158979Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpIPAddress10.0.1.14 13241300x8000000000000000158978Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000158977Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.690{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=54162E7168BB40034D3255BC719A12F9,SHA256=010F3776F1B20C3D4768BD5612EB0DC804F2D0D22984617ACC93908FBC922497,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158976Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.596{189417FC-233F-618E-1600-000000000602}12524300C:\Windows\system32\svchost.exe{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158975Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.596{189417FC-233F-618E-1600-000000000602}12524300C:\Windows\system32\svchost.exe{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000158974Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.715{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2953853- 354300x8000000000000000158973Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.526{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local52825-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000158972Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.526{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local52825-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 23542300x8000000000000000158971Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.112{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE6D5AA358F450ADC31786200BBA883,SHA256=E718A9208F5E37F515ED65AE89C274C1C60F13DDC0D82FE7206364019C601D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118501Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:08.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077FE2786FD6EAD5369FACA54AAE6CD0,SHA256=A905BCEBA137EDB244581C3B789F2493633C8E4CB163D120BFB264DB92387740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158991Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.568{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-028MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158990Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.223{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9116A6722039160BC7645D89C332527D,SHA256=F2479C581423A236F19D26ED7FA16E05EB6813DBCB369C6EAB2966EE72E81CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118502Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:09.042{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6225E4B8866D962DEBDF808D523B902E,SHA256=908C6BF6D3D50C768C1BE66B241FC9E81A7D26052039398B4726D9A2340E7401,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000159010Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000159009Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000159008Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000159007Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\FlagsDWORD (0x00000002) 13241300x8000000000000000159006Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\TtlDWORD (0x000004b0) 13241300x8000000000000000159005Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\SentPriUpdateToIpBinary Data 13241300x8000000000000000159004Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\SentUpdateToIpBinary Data 13241300x8000000000000000159003Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\DnsServersBinary Data 13241300x8000000000000000159002Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\HostAddrsBinary Data 13241300x8000000000000000159001Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\PrimaryDomainNameattackrange.local 13241300x8000000000000000159000Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\AdapterDomainName(Empty) 13241300x8000000000000000158999Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\Hostnamewin-dc-362 10341000x8000000000000000158998Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.798{189417FC-233D-618E-0B00-000000000602}640808C:\Windows\system32\lsass.exe{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+31345|C:\Windows\system32\lsasrv.dll+2f1db|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000158997Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.798{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000158996Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.583{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158995Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.796{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f860:2c00:ce0:ffff-63249-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000158994Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.796{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local63249-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000158993Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.790{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-362.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000158992Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.238{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F542B2796CEE6B61C990A33D9E9841F,SHA256=DAFD26F68BEEC9D56900A759F3503DE82AE889C1FE2B265187268E73AB6D2BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118503Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:10.057{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268BCD75D6318133ED599EC07340A088,SHA256=15712EF16645A09611DD316D1117201286A7D2046DC47FB38F7C13DFF91C2D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118504Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:11.089{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9514B36CF69C9AD4F330CF1D765783,SHA256=4AAD26C601BCAF5CEA5E400B6E55707AA74AEB4B6FEFC213B2FE4B38380A5068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159012Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:11.802{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86CD3F6A81EE8F903EE7B2A9358D17E4,SHA256=BB3F8196F4D93BA4CB373B4925F34C70968F74C901ABDA795F85F9D9F64C3043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159011Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:11.239{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCECCFD5EBEE36CF733744DF8D99061,SHA256=9FB3C88E0F58B79F9A12F9BD280D1620E0304ED3D54176FE15DD6300C98BCA27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159023Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.054{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000159022Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.836{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53701- 354300x8000000000000000159021Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.836{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63808- 354300x8000000000000000159020Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.829{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58674-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159019Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.829{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58674-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159018Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.827{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local54473- 354300x8000000000000000159017Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.826{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-362.attackrange.local58673-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159016Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.826{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-362.attackrange.local58673-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159015Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.824{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-362.attackrange.local63249-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159014Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.824{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54215- 23542300x8000000000000000159013Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:12.270{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B8C8A6478B0BA9859FE820DCC7CC7D,SHA256=44D0389DCA2C40323240F757985AFDF7FDF2F5FC1FC2E05EC19C87B3D2A12DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118506Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:12.135{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82EBC2EA2E8CECA0D747FEBB1413D43,SHA256=9492B692D8C2CDA0369D8D786BDFE417E8EE39BE3319E4F04D2F63DAB26B38DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118505Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:09.788{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159024Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:13.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A0CBB60334F0A2D19A4BDE75028EEE,SHA256=6E539658623E20D9E4DE8E8020C64AB4E91730674B30D8AA5C345C213456F16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118507Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:13.167{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5451587FFBC172CC29FAF7DEE6BBA3B0,SHA256=3EACC1D9FF513C81EAA3A926C92AF2AB67FEAEA87A17C5AE89B162761B7F138B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159025Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:14.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6FAC8C8865BE5D00D8700047A9182A,SHA256=138A5C2CC5857535A08FF80DC18DD36330882B48E12133880779E139D33B6267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118508Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:14.167{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EEFCF2A31FE042247A068BD99DC58F,SHA256=A4FF225B2A1D86167FD1F4D0ECF13C98D707E3C9084F0DFEC9B47FB8FBBB2EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159026Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:15.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4C72ADE2D9208D776112BD781EAF31,SHA256=66D9668976694B813EC3480E9223DF3094D3AE0C45B64FF6108F8A75860CBFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118509Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.385{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4803945048F2DBCB02E55ADBA2CA063,SHA256=D8CA0163AA68685D02F2714CE144091E255103C5707F607191E8D183BEAD60A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159027Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:16.520{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98D9C4CEC45622D704AD98E3398EE6F,SHA256=9D0BBA926D1347EEC12AAB50BC1A7CB243DC2A6946F893A84430FB07C7D1ABAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118511Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:16.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08871F13ECC986A558ECBE9DCB11198,SHA256=9E9E28C46BAE206223CE68BB60C48B3C5AE7EFE1ED7367F91B24E9D4C5436A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118510Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:16.245{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118526Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118525Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118524Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118523Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118522Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118521Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118520Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118519Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118518Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118517Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118516Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118515Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118514Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.792{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118513Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.526{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069E335D0842054E6C1C8855B5689341,SHA256=0F79121078DD77F1B66B8D473E648E8B08361FD2CF075817CC0E0909404AA286,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159029Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:15.199{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159028Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:17.536{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D50AB038CD756E3541979516DF18A9,SHA256=DC7B91E3B33F2865BBA668B4E8B711166A0EEBDE3BAFFF4A450A022507D9BA02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118512Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.616{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159032Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.552{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478307B02677CABA748C74BC398C8C5A,SHA256=9555045DAA0595EF9B526DBE7C25A8D5005CA00CDB6D296F6A982E8D831C2731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118543Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E89FBF91AF5DDB1A74BA806B8575B859,SHA256=946C367080C8E0D0981594AE863AEC502D7E7128A951DA2C3A0F4E2D98867078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118542Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A173511C0419C053E968FFDB44D0E38,SHA256=9DC1A37EF0A6F4CEC22F3C2C78FE49F112B0EEC6231C7D1A1A962EFF4F578B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118541Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118540Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118539Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118538Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118537Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118536Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118535Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118534Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118533Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118532Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118531Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118530Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118529Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.667{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118528Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.541{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09B7D4776608EFC1E911479944DA50B,SHA256=6EB75A9F79BA992DD4154C6242DD4BF7983DB88EC427AFE1253AF462BE6B64D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118527Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.772{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000159031Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.255{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F42B710F4603C8FE48F277DD06B323,SHA256=C3F15B06941DD18129D3F94717D53BB5945089BFC7724F48D0D7C34DE08A1238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159030Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.255{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AC8BF733F83F39504EFC676EAD21D46,SHA256=BD12E8D72B8DC804DA69AF02CFE227FBD4A3D7EFC6FC75B6704E963A9DCC1B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159033Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:19.770{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02DE47378DC2683C026E4A3BA8593E8,SHA256=2FE687D8E9D6DA4ABFF6D4D204579E5F523274F497E7F779ADB110B4401E902B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118558Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.604{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10401D6A02275DD38EE6412C607ED136,SHA256=DCF9505B0BE3BA031F8300A0566EDA7920A9FED17E137B6781BFA80AEA5B777E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118557Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.385{147D18E0-2A53-618E-6301-000000000702}26281196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118556Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118555Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118554Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118553Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118552Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118551Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118550Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118549Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118548Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118547Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118546Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118545Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118544Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.183{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118560Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:20.619{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C58EDF9B4C28570AEEF2F2C199C0E8,SHA256=67DAEEC8174D35C2007F90AA20F85881FCCA4F5749D5664C544FD0224E9ECE95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159041Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-29A4-618E-7301-000000000602}49281336C:\Windows\system32\conhost.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159040Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159039Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159038Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159037Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159036Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159035Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-29A4-618E-7201-000000000602}42484444C:\Windows\system32\cmd.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159034Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.241{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\System32\ROUTE.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Route CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationroute.exerouteC:\Users\Administrator\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=56AA12B243152DF359E79D143F248F1D,SHA256=BFE7A626BF3B9080997401969954AE0376476FD220E80CC52707FF31CE827D53,IMPHASH=B4266771AA756897B5C9C266177A6A5E{189417FC-29A4-618E-7201-000000000602}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000118559Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:20.229{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E89FBF91AF5DDB1A74BA806B8575B859,SHA256=946C367080C8E0D0981594AE863AEC502D7E7128A951DA2C3A0F4E2D98867078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118588Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.870{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3216ABE2ACA4127E3D09FE7C54D3D68,SHA256=08FBB8C615CC24769B6EB8C0AFD6EB6FBB7F76235ECDF54883A1441984A8791C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118587Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118586Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118585Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118584Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118583Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118582Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118581Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118580Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118579Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118578Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118577Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118576Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118575Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.839{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159043Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.427{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F42B710F4603C8FE48F277DD06B323,SHA256=C3F15B06941DD18129D3F94717D53BB5945089BFC7724F48D0D7C34DE08A1238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159042Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.005{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C020A63836E73068221A4E2D5A23BE,SHA256=FF0B6E3EB049D01BD198DC46BCAB02AB5ACBF9B293BDAA4CE659BC68376685CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118574Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.291{147D18E0-2A55-618E-6401-000000000702}35323512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118573Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118572Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118571Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118570Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118569Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118568Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118567Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118566Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118565Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118564Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118563Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118562Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118561Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.120{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118604Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.510{147D18E0-2A56-618E-6601-000000000702}26201004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118603Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118602Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118601Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118600Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118599Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118598Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118597Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118596Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118595Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118594Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118593Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118592Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118591Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.339{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118590Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.182{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAC38FBAECA105DE446E98349EEBD17C,SHA256=F6CF9025AC6EA2E91C6B7B8A6BFEE6DD2B6001EE7343B29603709673ECE61241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118589Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.088{147D18E0-2A55-618E-6501-000000000702}16002864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159044Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:22.036{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B682A19183BF22C722BDF6359B7E4DC3,SHA256=ED695431F8BDC97EFC3AB589A10C49B1BE58DE1EEC39DAF8D95AB94551497189,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118607Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.616{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118606Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:23.369{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE3ED1B131A6108FAD6B8B9A02BDE9A,SHA256=D67A61C5E259F539CFFB6BD64F045A436B65414EE0C6A011954706F13A086219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118605Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:23.369{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D73C38EF49F3C6F05AD953B621F463,SHA256=8F11EA0ADB028086C7CC486ED10E532476807FEE580C55CD37A8567B8EE21843,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159047Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.167{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159046Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:23.380{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159045Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:23.067{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F99F443456ED879602A665D790A0387,SHA256=49F16547AD1D44EA2CCB693A6CC7C74D27E8378B1ADF4EA954836B1DED861527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118621Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ECC33A7030CD3068859D7E84DE49E1,SHA256=602D9CB750D478BC116613AEDA232F34DF0F061341AF4697140D16348F40C5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159048Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:24.067{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3716832B0F643F3EA497B8E0FC89AAC4,SHA256=F8B24E0B32C1AE3454DDDB9822D8C59F5592F94A3D301A66B550974E3F88FD6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118620Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118619Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118618Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118617Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118616Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118615Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118614Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118613Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118612Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118611Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118610Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118609Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118608Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.292{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118623Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:25.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BAA488EE5CA0BABB8F6F0A0B2C542A,SHA256=D4337B5FFBE5B0880FBD3384509901817F9548EBEABB8D4985765A1F707B3F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159050Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:22.386{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58678-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000159049Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:25.114{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7F30F4237D014939CCAABED446A857,SHA256=5BA6AA0145BB50B7F47D266EB46F4BDEEA36722D269FC99355046414CD691283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118622Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:25.385{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55545054141098C7A4F5AE6D0703E6E7,SHA256=64D69C2C7C0ED5D28F7D9D568C5D7D93ADBBB7F8EA7506AE6C0F50624A01E469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118624Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:26.650{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577D67C38AA2EAFBFA7746848C2592B8,SHA256=FCBFC84D1CAC6BB6AF406AFDE24E618EEFA3FB72D7F00F776A26CFB5B2247D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159051Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:26.114{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9DEC7F502B6F43103880E5BE3B847,SHA256=596ABBA2F95DE1FAF78F7BEEF0D6659EFD4D39D8AA2B761B50C8F60515D661D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118625Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:27.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEA8566EAF1D418DBFF93B083E681CB,SHA256=BD7B1E20BFE09592D8AF5A1C717B4585EEB587B9B16F9551A47F7433A894AB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159052Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:27.115{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FAF3C585C391A4DD234A0EF182505E,SHA256=DF6588ECB7E216A72499DE8A02FA60C99CE1E2D74DFBDCF5266463DD3CD1C532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118626Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:28.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7241AC2B6847728787F11374C69A0D,SHA256=78176BDE1D6869F650A4B49B37EAFA574C0681C2D9322144E6A047B7DB077923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159053Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:28.147{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403ACAC1AA632FB64522DB893292C075,SHA256=4EDA706F2F1CB9E4999E5322B7EC9629356206EA83C75484A879AC8CAC115F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118628Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:29.838{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABB512B7A2153FCD63A056D04B9BA95,SHA256=5A064E24BF1E77FC5CE220